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MEMORANDUM  1  OR:  Sl  l  DISTRIBUTION 


SlJM.lK  I  DoD  Efforts  to  Protect  Critical  Program  Information: 

The  Army's  Warfighter  Information  Network  Tactical 
(Report  No.  lO-IN  l'fcL-07) 


We  are  providing  this  report  lor  information  and  use.  VS  e  considered 
management  comments  on  a  draft  of  tins  report  in  preparing  the  final  report 

DoD  Directiv  e  7650.5  and  Office  of  Management  and  Budget  Circular  No.  A- 
50  require  thai  recommendations  be  resolved  promptly.  While  management  generally 
concurred  with  our  recommendations.  man>  of  the  comments  w  ere  only  partially 
responsive  because  they  lacked  either  a  description  of  actions  for  accomplishing*  the 
recommendations  or  a  date,  and  in  some  instances  both.  Therefore,  we  are  requesting 
additional  comments  as  indicated  in  the  recommendations  table  on  page  ii  by 
August  20.  20 JO. 


DoD  OIG  -  (b)(6) 


If  possible,  please  send  a  pelt  flic  containing  your  comments  to 


1  a  dodie.mil.  Copies  of  the  management  comments  must  contain  the 


actual  signature  of  the  authorizing  official.  We  are  unable  to  accept  the  Signed 
svmbol  in  place  of  the  actual  signature  If  you  arrange  to  send  classified  comments 
electronically .  you  must  send  them  OVCT  the  SECRET  Internet  Protocol  Router 


Network  to 


DoD  OIG  -  (b)(6) 


a  dodig.smil.mil 


As  a  result  of  management  comments,  w  e  redirected  recommendations  H2-2 
and  B6  to  reflect  the  Deputy  I  ndcr  Secretary  of  Defense  for  IB  'MIN  I . 

Counted n tel  1  i aencc.  ana  Security  as  the  cognizant  authority  lor  management 
comments  anif  recommendation  B-8  to  reflect  the  Under  Secretary  of  Defense  for 
Acquisition.  Technology .  and  Logistics  us  the  lead  cognizant  authority  for 
management  comments.  We  received  management  comments  from  the  two  agencies 
respectively. 


I  03) 60 


We  appreciate  the  courtesies 
P^at  (703) 


DoD  OIG 
-  (b)(6) 
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■''^1  Results  in  Brief:  DoD  Efforts  to  Protect 
Critical  Program  Information:  The  Army’s 
Warfighter  Information  Network  -  Tactical 


What  We  Did 


This  is  the  lirsi  in  a  series  ol  assessments  lu 
determine  how  DoD  protects  critical  program 
information  (CPI).  The  Army's  Warfighter 
Information  Network  -  Tactical  (WIN- 1)  is  the 
first  of  three  acquisition  category  ID  programs  of 
record  to  be  used  as  a  case  study  to  assess  the 
Department’s  effectiveness  in  protecting  CPI.  We 
conducted  this  assessment  in  coordination  with 
DoD  research,  development,  acquisition, 
counterintelligence  (Cl),  and  security  subject 
matter  experts.  We  analyzed  key  issue  areas 
related  to  program  protection,  specifically:  the 
ability  to  identity  and  protect  CPI:  manage  the 
foreign  \isir  program;  apply  program  protection 
horizontally;  train  its  workforce  in  program 
protection;  and  optimize  intelligence.  Cl,  and 
security  resources,  threat  data,  and  policies  to 
guide  program  protection  efforts.  Because  the 
WIN  T  program  has  no  foreign  involvement,  that 
issue  area  was  not  relevant.  We  also  assessed 
DoD  program  protection  efforts  for 
standardization  of  protection  processes  and  theit 
application,  oversight  of  protection  processes  and 
responsibility  for  protection  clTorls. 

What  We  Found 

Wc  found  that  while  DoD  and  Army  policy  to 
protect  CPI  has  progressed  in  recent  years,  there  is 
still  a  need  lor  improvement.  I  he  Army  has  a 
good  process  in  place  for  identifying  C  PI  through 
integrated  product  teams  and  the  Army  Research 
and  Technology  Protection  Center.  However, 
Army  efforts  to  protect  CPI  arc  not  integrated  and 
synchronized  Lo  the  greatest  extent  possible,  and 
they  are  not  optimizing  the  ability  Lo  provide 
uniform  research  and  technology  protection  across 
the  Army. 

In  addition,  program  officials  were  aware  of 
horizontal  protection  hut  had  some  reservations 
about  the  security  of  the  data;  and  the  workforce 
had  received  training  in  program  protection,  but 
training  needs  to  he  more  tailored.  Alsu,  program 
personnel  used  intelligence.  Cl.  and  security 
resources,  threat  data,  and  policies  to  guide 


program  protection  efforts;  however,  more 
coordination  is  needed  among  program, 
intelligence.  C'l.  and  security  personnel  - 
especially  with  Defense  Security  Service 
personnel  -  in  order  lo  optimize  their  efforts. 

What  We  Recommend 

The  Under  Secretaries  of  Defense  for  Acquisition, 
lechnology.  and  Logistics  (lfSD(AT&L  l>  and  for 
Intelligence  (USD(l  j),  the  Assistant  Secretary  of 
Defense  for  Networks  and  information 
Integration  DoD  Chief  Information  Officer  (ASD 
(NliyDoD  CIO),  and  the  Deputy  Under  Secretary 
of  Defense  for  HI,  MIN  1 ,  Counterintelligence, 
and  Security  (DUSD(HCl&S))  should  develop 
policies  related  to  CPI  protection  in  the  areas  of 
anti-tamper;  commercial  off-the-shelf 
components:  model  contract  language, 
standardized  guidance  for  training,  security 
requirements  for  contractors  processing  CPI  on 
contractor  information  sy  stems,  and  the  host  for 
the  horizontal  protection  database.  The  Assistant 
Secretary  of  the  Army  lor  Acquisition,  I  .ogistics. 
and  Technology  (ASA)  A I  I')),  rhe  Commanding 
General,  Army  Materiel  Command  (CG.  A  VIC), 
and  the  Deputy  Chief  of  Staff  (DCS).  G-2 
i  Intelligence)  should  determine  the  most  effective 
means  lo  optimize  Army  research  and  technology 
protection  efforts.  The  USD(I).  should  provide 
guidance  on  model  language  and  use  of  the  DD 
form  254  to  ensure  access  to  and  oversight  of 
controlled  unclassified  CPI  in  defense  industry 

Management  Comments  and 
Our  Response 

While  comments  from  USD(  A  l&l  ).  I  SDH). 
ASD/NII.  DIJSD  (HCI&S),  ASA(ALT).  Army 
Deputy  Chief  of  Staff.  G-2  (Intelligence)  and  CG 
AMC  generally  concurred  with  our 
recommendations,  many  of  the  comments  were 
only  partially  responsive  because  they  lacked 
either  a  description  of  actions  for  accomplishing 
the  recommendations,  a  date,  and  iri  some 
instances  both  in  meeting  the  intent  of  the 
recommendations.  Please  see  the 
recommendations  table  on  the  back  of  this  page 

unr  nvi  u 
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Recommendations  Table 


Management  Recommendations 

Requiring  Comment 

Under  Secretary  of  Defense  Bl-1,  Bl-2,  B2-1,  B-3,  B5-1 

(Acquisition,  t  echnology,  and 

Logistics) 

Under  Secretary  of  Defense  Bl-1 

(Intelligence) 

Assistant  Secretary  of  Defense 
(Networks  and  Information 
Integration )/DoD  Chief 
Information  Officer 


Deputy  Under  Secretary  of  B2-2,  B(> 

Defense  (HUM TNT. 

Counterintelligence,  and  Security) 


Assistant  Secretary  of  the  Army 
(Acquisition,  Logistics,  and 
Technology) 

Commanding  General,  Army 
Materiel  Command 

Army  Deputy  Chief  of  Staff,  G-2 
(Intelligence) 


Please  prov  ide  comments  by  August  13,  2010. 


EOttorriri  Mi  ui'i  oma. 


No  Additional  Comments 
Required 

Bl-1,  Bl-2,  B2-1,  B3,  B5-1, 
B8 

Bl-1,  B3,  B5-1,  B8 

Bl-1,  B3.  B5-1,  B8 


B2-2,  B6 
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Introduction 

Prolecltng  critical  program  information  (C  PI)  is  imperative  in  order  for  the  l.S  to 
maintain  the  technologically  -dependent  cutting  edge  of  its  weapon  systems  l  riucal 
program  information  is  defined  as  elements  or  components  of  a  research,  development,  or 
acquisition  (RDA  l  program  dial.  1 1  compromised,  could  cause  significant  degradation  in 
mission  effectiveness;  shorten  ihe  expected  combat-effective  life  of  the  system;  reduce 
technological  advantage:  significantly  alter  program  direction;  or  enable  an  adversary  to 
defeat,  counter,  copy,  or  reverse-engineer  the  technology  or  capability.  Critical  program 
information  includes  information  about  applications,  capabilities,  processes  and  end 
items,  elements  or  components  critical  to  a  mililan  system's  or  network's  mission 
effectiveness;  and  technology  that  would  reduce  the  U.S.  technological  advantage  if  it 
came  under  foreign  control. 

Objective 

The  objective  of  this  program  prelection  assessment  pilot  was  to  determine  how 
effectively  DoD  identifies  and  protects  CPI.  Specifically,  we  assessed  the  follow  ing 
eight  key  areas  critical  to  effective  program  protection: 

•  ability  to  identify'  CPI; 

•  effectiveness  in  developing  and  implementing  a  program  protection  plan; 

•  training  efforts  for  the  protection  oi’CPI: 

•  use  of  resources  for  the  protection  of  CPI. 

•  effectiveness  of  policies  to  protect  CPI; 

•  ability'  of  counterintelligence,  intelligence,  and  security  to  support  the 
protection  of  CPI; 

•  effectiveness  of  the  foreign  visit  program;  and 

•  application  of  “horizontal  protection’*  of  CPI. 

On  December  12. 2008.  the  DoD  Office  of  the  Inspector  General,  Deputy  Inspector 
General  lor  Intelligence  and  the  Deputy  l  nder  Secretary  of  Defense  (Acquisition  and 
Technology  I  cosigned  a  letter  announcing  the  concept  of  this  program  protection 
assessment.  The  goal  of  the  project  was  to  conduct  three  assessments  to  evaluale  how 
effectively  DoD  and  each  Military  Department  identify  and  protect  CPI.  1  he  Warfighter 
Information  Network  -  Tactical  I  WIN-  D  is  the  first  acquisition  category  i  ACA  Pi  ID1 
program  of  record  assessed  as  part  of  the  pilot.  See  Appendix  A  for  a  discussion  of  the 
scope  and  methodology. 


Acquisition  C  ategory  I  programs  are  major  Dcfvnx  acquisition  programs.  A  major  Defense  acquisition 
pnvgram  is  a  program  estimated  h>  the  I  ’SIX  A  J  <V.L>  lu  require  eventual  expenditure  for  research, 
development,  test.  anJ  evaluation  ui  more  than  $36*  million  or  procurement  of  more  Hum  $2  IV  htllmn.  or 
those  designated  by  the  USLX  AT&T  t  to  be  m.tior  Defense  acquisition  programs  or  special  interest 
programs  Acquisition  category  l  programs  have  two  subeategories  The  lira  Mibcategory  is  AC  AT  It*,  tor 
■vliich  the  milestone  decision  authority  is  Uie  DoD  Component  Head  or  if  delegated,  the  Component 
Acquisition  Executive.  The  second  snbeategory  is  ACA  r  ID.  for  which  the  milestone  decision  uithority  is 
the  t .  SDtAT&I.)  The  Defense  Acquisition  Rourd  advises  the  USD(AT&L)  at  major  decision  pomtv  The 
USD)  A  T&l  I  designates  programs  as  ACAT  ID  or  ACAJ  1C 


Background 


W  arfighter  Information  Network  -  Tactical.  W1N-T  is  a  high-speed  and  high- 
capacity  communications  network  designed  to  be  the  Army's  tactical  Internet  W1N-T  is 
intended  to  pros ’ide  reliable,  secure,  and  seamless  communications  for  theater  and  below 
initially  to  modular'  brigade  combat  teams  (and  eventually  to  Future  Combat  Systems 
brigade  combat  teams),  WIN-T  is  being  developed  and  tielded  in  four  increments  that 
will  build  on  one  another: 

•  Increment  1  is  the  former  Joint  Network  Node-Network  program  -  stationary 
networking,  which  enables  the  exchange  of  voice,  \  ideo.  data,  and  imagery 
throughout  Lhe  lactical  battle  Held  using  a  satellite- based  network; 

•  Increment  2  -  networking  on  the  move,  provides  command  and  control  on  the 
move  down  to  (he  company  level  for  maneuver  brigades  and  implements  the  core 
network  capability; 

•  Increment  3  -  lull  networking  on  the  move,  provides  full  mobility  command  and 
control,  to  include  Future  Combat  System  support,  for  divisions  and  below:  and 

•  Increment  4  -  protected  satellite  communications  on  the  move,  includes  access  to 
the  next  generation  of  protected  satellites  while  retaining  all  previous  on  the  move 
capabilities. 

Research  and  Technology  Protection  Oversight  iu  the  Army  -  The  Army  Inspector 
General  and  the  Army  Audit  Agency.  Through  its  Technical  Inspections  and 
Intelligence  Oversight  divisions,  the  Army  inspector  General  provides  the  Army's  input 
to  the  annual  summary  report'  of  inspections  on  security .  technology  protection,  and 
counterintelligence  practices  at  research,  development,  test,  and  evaluation  (RDT&F.) 
facilities.  The  inspections  focus  on  RD1&L  facilities  or  installations  with  Rl)  1  &L 
tenants,  including  Government-owned,  contractor-operated  and  contractor-owned, 
contractor-operated  operations.  The  inspections  check  for  compliance  with  Army 
guidance  and  identify-  for  Army  leadership  ways  to  improve  programs  and  facility 
security  and  disseminate  best  practices.  13y  focusing  on  the  inspection  results,  the  Army 
Inspector  General  heightens  awareness  across  the  community  and  effectively  addresses 
security  vulnerabilities  in  Army  laboratories  and  across  all  Army  programs. 

At  the  request  of  the  Secretary  of  the  Army,  the  Army  .Audit  Agency  audited  the  Army’s 
research  and  technology  protection  (Rl'P)  program,  issuing  five  repons  between  May 
2008  and  April  2009.  Neither  the  Warfighter  Information  Network  -Tactical  nor  its 
program  executive  office  was  audited  by  the  Army  Audit  Agency.  Howev  er,  the  Army 
Audit  Agency  audits  encompassed  multiple  locations  and  focused  on  the  adequacy  of 
procedures  used  to  identity-  and  protect  CPI  at  Army  program  executive  offices,  a  focus 
directly  related  to  our  assessment  el  Torts . 


Modularity  is  a  tnajoi  restructuring  oMhe  entire  Army.  Involving  the  creation  of  Brigade  combat  teams, 
from  a  Div  ision-based  force  Hie  foundation  of  the  modular  force  is  the  creation  ul  standardized  modular 
combat  Brigades  designed  to  be  stand-alone.  self-sufficient  units  that  are  more  rapidly  deployable  and 
better  able  to  conduct  joint  operations  than  divisions. 

‘  Prepared  by  the  DoD  Office  ofihc  Inspector  General,  Office  of  the  Deputy  Inspector  General  for 
Intelligence,  based  on  a  request  by  the  Deputy  Secretary  of  Defense  to  ensure  implementation  of  a  uniform 
system  of  periodic  reviews  through  the  existing  agency  and  Service  inspection  processes  for  compliance 
with  directives  concerning  security,  technology  protection,  and  counterintelligence  practices 

IAIj  1  ifriFi  ONLY 


f  he  Army  Audit  Agency  stated  that  Army  pn>u:  :utive offices  had  adequate 

procedures  far  identifying C PI;  ho\\ c\ e^^j^cgigrowmcnh^u^^iejjjJjjjy^issiting 

tuidance  to  procram  executive  oil  iocs 


_ _ _ _ i  he  Army  Audit  Agency  also 

recommended  issuing  policies  and  procedures  for  providing  protection  guidance  to  users 
of  end  items  with  CPI.  and  having  the  working  group  being  established  to  develop  an 
Army  regulation  to  implement  Dot)  Instruction  5200.39  address  the  issues  identified  in 
the  audit. 


Criteria 


DoD  Policy  and  Implementation  Guidance 

It  is  DoD  policy  to  provide  uncompromiscd  and  secure  military  systems  to  the  warfighter 
by  performing  comprehensive  protection  of  CPI  through  the  integrated  and  synchronized 
application  of  counterintelligence,  intelligence,  security,  systems  engineering,  and  cither 
defensive  countermeasures  to  mitigate  risk,  failure  to  apply  consistent  protection  of  CPI 
may  result  in  the  loss  of  confidentiality,  integrity,  or  availability  of  CPI.  resulting  in  the 
impairment  of  the  warfighter's  capability  and  DoD’s  technological  superiority 
Additionally,  it  is  DoD  policy  ro  mitigate  the  exploitation  of  CPI;  extend  the  operational 
effectiveness  of  military  systems  through  application  of  appropriate  risk  management 
strategics,  employ  ihe  most  effective  protection  measures,  to  include  sy  stem  assurance 
and  anti-tamper;  conduct  comparative  analysis  of  defense  systems*  technologies  and  in 
order  that  CPI  protection  is  aligned  horizontally  throughout  the  DoD.  document  the 
measure^  in  a  program  protection  plan  furthermore.  DoD  policy  requires  thut  contracts 
supporting  RDA  programs  wherein  CPI  ha>  been  identified  shall  contain  contractual 
terms  requiring  the  contractor  to  protect  the  CPI  to  DoD  standards 

DuD  Instruction  5200.39  “Critical  Program  Information  (CPU  Protection  W  ithin 
the  Department  of  Defense,"  July  16,  2008  defines  what  constitutes  C’Pl:  establishes 
policy  lor  the  protection  of  CPI;  and  assigns  responsibilities  for  counterintelligence, 
intelligence,  security,  and  sy  stems  engineering  support  for  the  identification  and 
protection  of  CPI.  Furthermore,  it  details  responsibilities  relating  to  the  identification  of 
(  PI  and  the  implementation  of  program  protection  plans  to  DoD  Components;  and 
implements  relevant  parts  of  DoD  Directive  5000.01  "The  Defense  Acquisition  System/’ 
DoD  Instruction  5000.02.  “Operation  of  the  Defense  Acquisition  Sy  stem/'  December  8. 
2008.  and  continues  to  authorize  the  use  of  DoD  52001-M.  “Acquisition  Systems 
Protection  Program/’  March  1094.  u>  serve  as  implementation  guidance.  Also.  DoD 
Instruction  5200.39  supplements  existing  policies  and  guidance  related  to  the  security  of 
DoD  personnel,  information,  resources,  installations,  and  operations  to  include  DoD 
contractors  performing  work  or  supporting  Dv»D  RDA  efforts. 


1  Horizontal  protection  ensures  tha:  cnric.il  Defense  technologies.  including  critical  program  information, 
associated  with  more  than  one  RDA  prop'll  in  arc  protccied  to  the  same  degree  by  all  involved  DoD 
.ici  iv  ilics  It  is  DoD  policy  to  conduct  comparative  analysis  of  Defense  systems  technologies  und  align 
ci  itic.il  program  inhumation  protection  .iciivitics  horiwmalh  throughout  DoD. 
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DoD  Instruction  5000.02  “Operation  of  the  Defense  Acquisition  System,” 

December  8,  2008  establishes  within  DoD  acquisition  policy  that  during  the  technology 
development  phase  that  the  technology  development  strategy  shall  document  a  listing  of 
CPI  and  potential  countermeasures,  such  as  anti-tamper,  in  order  to  inform  program 
protection  planning  and  design  integration,  further.  CPI  shall  be  identified  as'  early  as 
possible,  and  shall  inform  ihe  preparation  of  the  program  protection  plan  Additionally, 
during  the  engineering  and  manufacturing  development  phase  it  states  that  the  protection 
of  CPI  is  implemented  by  applying  appropriate  system  engineering  and  security 
techniques,  such  as  anti-tamper.  Moreover.  DoD  Instruction  5000.02.  Enclosure  4  details 
“Statutory-  and  Regulator}'  Information  and  Milestone  Requirements**  that  apply  to  ail 
acquisition  programs,  and  details  each  milestone  and  decision  point  setting  forth 
mandatory  requirements  relevant  to  the  identification  and  protection  of  CPI 

DoD  5200. 1 -M  “Acquisition  Systems  Protection  Program,"  March  1494  prescribes 
standards,  criteria,  and  methodology  for  the  identification  and  protection  of  CPI 
(described  as  Essential  Program  Information,  t  echnologies,  and/or  Systems  within  Uus 
Manual)  within  DoD  acquisition  programs.  The  protection  standards  and  guidance 
described  within  this  Manual  are  required  to  prevent  foreign  intelligence  collection  and 
unauthorized  disclosure  of  essential  program  information,  technologies  and/or  systems 
during  the  DoD  acquisition  process. 

Defense  Acquisition  Guidebook,  Chapter  8,  ‘  Intelligence.  Counterintelligence,  and 
Security  Support,”  addresses  actions  required  once  CPI  is  identified  within  an  acquisition 
program  and  identities  ihe  critical  elements  in  a  comprehensive  acquisition  protection 
strategy,  including: 

•  the  responsibilities  of  program  managers  ( PM)  in  the  prevention  of  inadv  ertent 
transfers  o(  dual -use  and  leading-edge  military  technologies  used  in  defense 
platforms: 

•  the  availability  of  intelligence,  counterintelligence,  and  security  support  for 
acquisition  programs  and  the  requirement  to  use  them:  and 

•  guidance  and  descriptions  of  support  available  for  protecting  technologies. 

Army  Policy  and  Implementation  Guidance 

Army  Kcgulatiou  70-1.  “Army  Acquisition  Policy,"  December  31. 2003  implements 
DoD  Directive  5000. 1,  DoD  Instruction  5000.2,  and  governs  RDA  and  life-cycle 
management  of  Army  materiel  within  Army  acquisition  programs.  Ill  is  regulation  is  the 
fust  order  of  precedence  for  managing  Army  acquisition  programs  following  the  f  ederal 
Acquisition  Regulation,  Defense  Federal  Acquisition  Regulation  Supplement.  DoD 
regulation  direction  and  Army  Federal  Acquisition  Regulation  Supplement.  It  assigns 
responsibility  for  security,  intelligence,  and  counterintelligence,  policy  for  the  Army's 
acquisition  process  and  for  security,  intelligence  and  counterintelligence  support  to  Army 
acquisition  programs  with  CPI 

Department  of  the  Army  Pamphlet  70-3,  “Army  Acquisition  Procedures,” 

January  28,  2008  prov  ides  guidance  on  materiel  acquisition  management  and  is  used  in 
conjunction  with  DoD  Directive  5000.01.  DoD  Instruction  5000,021  and  Army 
Regulation  70-1 .  It  contains  information  relevant  to  RDA  and  life-cycle  management  ol 
Army  materiel  to  satisfy  approved  Army  requirements.  It  details  timelines  and" 
procedures  for  t  PT  identification,  the  development  of  a  program  protection  plan,  and 
obtaining  threat  products.  Additionally,  it  provides  guidelines  for  information  security 
involving  controlled  unclassified  information  to  foreign  entities. 
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Army  Regulation  380-10,  “Foreign  Disclosure  and  Contacts  With  Foreign 
Representatives,”  June  22, 2005  implements  the  national  policy  and  procedures  for  the 
disclosure  of  classified  military  information  to  foreign  governments  and  international 
organizations.  j.s  detailed  in  DoD  Directives  5230.1 1  and  5230.20  and  in  DoD  Instruction 
2040-02.  I  he  regulation  addresses  three  areas: 

•  general  disclosure  policies,  the  authority  to  disclose,  and  the  delegation  of 
authority: 

•  modes,  method*,  and  channels  lor  disclosures  of  classified  military  information: 
and 

•  the  Army  's  technology  protection  program 

Relative  to  CPI,  the  regulation  details  the  establishment  and  composition  of  a  technology 
control  panel  to  rev  icw  and  develop  policy  related  to  the  Army’s  critical  technologies. 

Army  Regulation  381-11,  “Intelligence  Support  to  Capability  Development,* 
January  26, 2007  provides  policies,  responsibilities,  and  procedures  to  ensure  Ural  threat 
considerations  are  incorporated  into  the  Defense  acquisition  process  and  the  Joint 
Capabilities  Integration  and  Development  System.  The  regulation  prov  ides  detailed 
implementation  of  intelligence  activities  that  support  CPI  identification,  the  development 
of  threat  products,  i.e  System  Threat  Assessment  Report.  Multidisciplinary 
Counterintelligence  Threat  Assessment,  that  support  research  and  technology  protection, 
and  foreign  disclosure  determinations. 

Summary  of  Report 

We  organized  the  results  of  this  assessment  into  two  findings  Finding  A  discusses  die 
policies  and  structure  ol  the  Army  to  protect  ('PI  and  details  how  the  Army’s  efforts  to 
protect  CPr  could  he  strengthened  to  belter  protect  Army  research  and  technology 
programs  and  activities  across  the  Army .  In  Finding  B.  we  use  WIN-T  us  a  case  study  to 
assess  the  eight  issue  areas.  W  e  address  each  issue  area  separately .  focusing  on 
standardization  of  protection  processes  and  their  application,  oversight  of  the  protection 
processes,  and  responsibility'  for  the  protection.  W  e  assess  whether  the  published 
guidance  on  the  protection  of  CPI  in  each  issue  area  was  relevant  and  whether  program, 
intelligence,  counterintelligence,  and  security  personnel  adhered  to  the  guidance,  In 
those  instances  where  efforts  to  protect  CPI  could  be  strengthened,  we  make 
recommendations  for  improvements.  \V c  also  note  best  practices. 


■  DoD  Directive  5230  1 1  “Disclosure  of  Classified  Military  Intormation  U»  tlmcmmcnt  mid  Jnicmabonal 
Orguni/atinro,  inn*  16.  I*>02  DoD  Directive  5230  2o  Visas  ,rnd  Assignments  of  Fortijir  Nauonals. 
June  22.  2005  and  DoD  Instruction  2040.02.  “Imemational  transfers  of  Techr  olin;v  Art. Lies  and 
Services,”  July  10.  200R 
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Finding  A.  Army  Policy  and  Structure  Need 
Improved  Integration  for  Maximum 
Protection  of  Critical  Program  Information 

C urrem  research  and  technology  protection  (KIP)  el  t  om  of  the  Army  do  not  pros  ide  the 
most  efficient  and  comprehensive  technology  protection  The  three  key  participants  in 
the  Army's  R1 P  process  are  the  Assistant  Secretary  of  the  Army  (Acquisition,  Logistics, 
and  Technology )  ( ASA  (ALT):  the  Commanding  General.  Army  Materiel  Command:  and 
the  Deputy  Chief  of  Stall.  G-2  (Intelligence);  however,  their  efforts  arc  not  integrated  and 
synchronized  to  the  greatest  extent  possible,  anil  they  arc  not  optimizing  rhe  ability  to 
prov  ide  standardized  efforts  to  protect  Army  research  and  technology  programs  in¬ 
activities  across  the  Army. 

Policies  Establishing  Roles  for  Research  and 
Technology  Protection 

DoD  and  the  Army  continually  seek  ways  to  deal  with  the  complexities  ol  program 
protection  because  synchronization  across  so  many  commands  and  functional  areas  is  a 
challenge 

Department  of  Defense  Policy 

DoD  Instruction  5200.39  establishes  the  responsibilities  of  the  I  rider  Secretary  of 
Defense  (Acquisition.  Technology,  and  Logistics)  (USD(AT&1  ))  for  the  protection  of 
CPI  in  DoD  acquisition  programs  It  instructs  the  I  SD(A1&L)  to  lead  in  the 
establishment  of  a  consistent  process  tor  the  identification  and  protection  of  CPI  and  to 
require  a  program  protection  plan'-  for  KDA  programs  in  which  CPI  has  been  identified 

As  the  milestone  decision  authority  foi  major  dclense  acquisition  programs,  the 
l  SDi  A  I  AL I  also  has  (he  lead  in  establishing  procedures  outlining  program  protection 
plan  development  and  approval  in  collaboration  with  the  Under  Secretary  of  Defense 
(  Intelligence),  the  Assistant  Secretary  of  Defense  (Networks  and  Information 
Integration  )/DoD  Chief  Information  Officer,  the  Under  Secretary  of  Defense  (Policy ). 
and  with  DoD  Components 


‘  The  program  protection  plan  is  designed  as  a  dynamic  planning  tool  tv  capture  m  a  ,-inglc  document  the 
most  effective  means  to  protect  CPI  from  unauthorized  foreign  collection  activities  and  unauthorized 
disclosure;  and  to  develop  those  protection  measures  that  will  ensure  a  vomhai  system's  effectiveness 
throughout  its  lifecycle,  When  a  determination  of  CPI  is  made  a  program  protect  ion  plan  is  required  tor 
milestone  decision  authority  review  and  approval  ai  all  milestones,  the  program  protection  plan  is 
required  to  address  the  foreign  collection  threat  to  the  CPI  that  lias  been  identified  by  intelligence  and 
counterintelligence  agencies.  Within  the  Army  the  PM  is  required  to  develop  the  program  protection  plan 
To  this  end.  the  PM  i'  supported  oy  die  Deputy  Chief  of  Staff,  (i-2's  Vrrrry  Research  und  Technology 
Protection  Center  and  (he  Army  Maienel  Command.  0*2  Based  upon  the  identification  of  CPI.  the  P\1 
obtains  validated  threat  products  from  the  -Army  Counter  intelligence  Center  and  the  system  threat 
assessment  from  the  National  Ground  Intelligence  Center  in  order  to  develop  credible  cost  effective  system 
engineered  security  and  countermeasures. 
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In  addition.  DoU  instruction  5200.3*)  authorizes  the  USDl Ai &L)  to  provide  direction 
and  management  oversight  tor  Lhe  identification  and  protection  of  CPI  for  program.- 
under  the  cognizance  of  the  USL>(  \  1  A:L ) 

Army  Policy 

l'o  implement  lhe  requirements  to  protect  t  PI,  Army  Regulation  7U-! '  established  an 
\rmy  Research  and  Technology  Protection  (  enter  (ARTPC)  under  the  auspices  of  the 
Deputy  Chief  of  Staff,  (i-2.  The  \RTP(  ’  was  created  to  support  acquisition  programs 
over  which  the  Army  has  cognizance  by  integrating  and  synchronizing  sccuniy . 
intelligence,  counterintelligence,  foreign  disclosure,  and  security  countermeasure  support 
to  RTP  activities  Army-wide. 

Army  Regulation  38i-l  l  tasks  the  ASA(AI.T)  to  ensure  that  there  arc  vufliaeni 
intelligence  resources  to  support  long  range  planning  and  that  plans  reflect  the  threat 
Array  Regulation  381-11  also  requires  the  ASA(AT  T )  to  obtain  and  hind 
multidisciplinary  intelligence  support  tor  RDA  requirements.  As  the  Army  Acquisition 
Executive,  the  A$A(  ALT)  senes  as  the  milestone  decision  authority  tor  major  Army 
acquisition  programs  and  has  approval  authority  for  corresponding  acquisition  program 
protection  plans. 

Array  Regulation  381-1 1  requires  the  Army  Materiel  Command  to  determine  intelligence 
support  requirements  for  threats  to  capability  development  under  Army  Materiel 
Command  purview  and  to  provide  requisite  threat  support  in  collaboration  with  other 
threat  .support  activities  aiul  the  Deputy  Chief  of  Staff  G-2;  provide  foreign  intelligence 
officers  at  the  appropriate  I  il'e  Cycle  Management  Commands,  Research.  Development, 
and  f  ngineering  Commands,  and  laboratories  to  serve  as  the  primary  sources  of 
multidisciplinary  intelligence  support  to  program  executive  offices/RMs  and  technical 
and  laboratory  directors:  coordinate  with  program  executive  offices  PMs  and  the  Deputy 
Chief  of  Staff.  G-2.  to  ensure  appropriate  funding  is  pros  ided  for  multidisciplinary 
intelligence  support  of  Army  RDA  programs  >erve  as  the  Army  point  of  contact  for 
coordination  of  input  to  the  military  critical  technology  iist;  provide  multidisciplinary 
intelligence  support  and  guidance  to  technology -based  programs,  and  provide  threat  input 
to  program  management  documents 

Where  intelligence  gaps  exist  the  Regulation  requires  the  Army  Materiel  Command  to 
prepare  and  submit  requirements  for  new  intelligence;  provide  technology  assessments  in 
support  of  international  cooperative  programs,  foreign  comparative  testing,  technology 
protection,  and  export  control  activities:  and  identify  and  submit  /command  intelligence 
support  requirements. 


Vnjir  rune  Army  Regulation  7<i-i  w.w  put>li-hod  DoD  r.nrecrive  5200  - -Sc-cunt)  tnieltificncc  and 

Cjoumerinid licence  Support  i<>  Acquisition  Program  Protection  "  September  10.  IW7  tins  the  existing 
uuiilance  Cur  the  protection  of  C  PI:  however  Dot)  Instruction  5200. .'9  was  published  In  2008  unit  provides 
the  current  guidance  for  the  protection  of  CPI 
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The  Army's  Research  and  Technology  Protection  Program 

1  he  Army's  R 1  F  program  was  established  u»  provide  iailored.  lifc-cyclc  comprehensive 
R I  F  to  DoD  acquisition  programs  with  CPI.  and  to  Research.  Development,  and 
Rnei neering  Centers  where  critical  research  is  conducted.  The  acquisition,  security, 
intelligence,  and  counterintelligence  communities  work  together  to  develop  an  integrated 
approach  to  protecting  the  sophisticated  technology  in  Defense  systems. 

Under  this  program,  the  ASA(AI  T)  lias  overall  responsibility  for  protection  of  research 
ami  technology.  To  support  these  protection  eflbris.  the  Army  Materiel  Command  has 
life-cyck  protection  responsibilities:  and  the  Deputy  Chief  of  Staff,  (i-2.  provides 
security,  intelligence,  and  counterintelligence  support. 

The  A’sAt  \\  I  >.  in  conjunction  with  represen tali ves  from  the  Army  Materiel  Command 
and  the  Deputy  Chief  of  Stall'.  0-2.  is  developing  RIP  policy  for  the  Army.  The 
ASAl  Al.T)  anticipates  that  the  policy  will  be  completed  by  December  15.  20 HI 


Players  and  Roles 

Army’s  Defense  Industrial  Base6  Cyber  Security  Office 

fhc  Army  Defense  Industrial  Base  Cyber  Security  Ollice,  formerly  the  Army  Defense 
Industrial  Base  Cyber  Security  Task  Force,  was  created  in  the  ASA(  AI  T )  to  address  two 
key  trends  lacing  program  protection  in  the  defense  industrial  base  ( 1 )  digitalization  of 
information  and  (2)  globalization  of  economic  activity  . 


•  I  Totalization  of  information  has  introduced  greater  risk  of  compromise  of  DoD- 
con trolled. unclassified  information,  held  b\  the  defense  industrial  base,  that  is 


These  trends  necessitate  a  much  more  comprehensive  approach  to  acquisition  risk 
management  than  has  traditionally  been  taken. 


I  he  defense  ir.dusrriai  base  includes  hundred* *  «»l  tlutu-- units  of  domestic  anil  foreign  entities  and  their 

•  ubconrractors  performing  nnri.  fen  DoD  ‘.iid  other  federal  agencies.  Defense-retd i ed  pnoluti*.  mr 
mtvili-s  provided  by  the  defense  industrial  hir-e  equip.  Inform,  mobilize  deploy  and  sustain  force*, 
conducting  military  operarions 
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OASA  ALT  -  (b)(4) 


WM*  MByPoP  Instruction  5-i>0.3c>  clarities 
ddrnmons^sponsromii^^iHHol^  T^rotcctmg  CPF. 

Because  no  single  office  existed  within  the  Arms  lo  manage  these  and  other  emerging 
risks,  ihe  ASA(ALT)  created  the  Defense  Industrial  Base  Cyber  Security  Office,  which  is 
responsible  for  organizing  and  coordinating  Army  efforts  to  mitigate  risk*,  U>  Army 
acquisition  programs  The  Defense  Industrial  Base  Cyber  Security  Office  focuses  on 
countering  cvber  extraction  of  controlled  unclassified  information  from  defense  industrial 
base  unclassified  networks.  For  more  information  on  the  Army  Defense  Industrial  Base 
Cyber  Security  Office,  see  Appendix  F. 

Army  Materiel  Command 

The  Army  Materiel  Command  is  the  Army's  principal  materiel  developer  and  is  the 
.Army's  Executive  Agent  lor  RTP  across  the  materiel  lifecycle.  In  the  Army's  2009 
campaign  plan,  the  Army  Materiel  Command  was  tasked  to.  in  conjunction  with  the 
AS.A1AL  1 1  and  the  Training  and  Doctrine  Command,  develop  and  field  advanced 
technology  to  provide  materiel  solutions  to  the  current  and  future  forces  and  to  establish 
safeguards  for  newly  developed  and  existing  technologies  through  effective  technology 
protection  programs. 

I  he  mission  of  the  Army  Materiel  Command,  G-2  (Intelligence)  is  to  protect  sensitive 
programs  and  information,  identify  threats  to  current  capabilities  and  technologies  under 
development,  and  provide  intelligence  and  security  support  lo  Army  Materiel  Command 
strategic  plans  and  operations. 

Hie  mission  of  the  Army  Materiel  Command.  G-2's  Technology  Protection  Division  is  to 
identity  and  protect  CPI  from  the  earliest  point  possible  to  mitigate  the  risk  of 
compromise  This  is  accomplished  through  developing,  implementing  and  overseeing 
policies  and  programs  to  ensure  their  relevance  and  effectiveness  throughout  the 
commands:  through  ensuring  that  the  research  and  technology  program  is  mainstreamed 
by  the  RDA  community:  and  through  providing  comprehensive  counterintelligence 
support  to  Army  Materiel  Command  requirements. 

1  he  Army  Materiel  Command  also  has  a  T  echnology  Protection  Officer  located  at  four 
l  ife  Cycle  Management  Commands  to  provide  expert,  authoritative,  multidisciplinary 
security,  program  protection,  and  policy  adv  ice;  conduct  multidisciplinary  protection 
planning  of  weapons  systems,  programs,  and  projects;  and  provide  life-cycle  protection 
support  to  pre-acquisition  and  acquisition  programs,  whether  in  development  or  fielded 
The  technology  protection  officer  conducts  in-dcplh  technology  assessments  and  system 
decomposition  ol  RDT&F  and  acquisition  programs  to  identify  CPI 

The  Technology  Protection  Officer  orchestrates  and  synchronizes  program  protection 
support  activities,  including  security,  program  protection,  program  protection  training, 
classification  management,  industrial  security,  operations  security,  public  affairs,  system 
security  engineering,  threat  data  requirements,  counterintelligence,  technical  intelligence, 
foreign  disclosure,  ami-tamper  measures,  and  technology  transition 
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The  Technology  Protection  Officer  integrates  requirements  for  threat  intelligence,  risk 
assessments,  vulnerability  analysis,  program  protection  plans,  technology  control  plans, 
and  countermeasure  implementation,  Inc  Technology  Protection  Officer  also  manages 
issues  such  as  national  disclosure  policy,  foreign  relations,  commercial  and  dual-use 
commodities  and  export  controls. 

During  our  on  site  \isit  to  talk  with  WIN-T  program*  CECOM  1  ife  Cycle  Management 
Couunartd.  counterintelligence,  and  Defense  Security  Service'  officials,  the  technology 
protection  officer  had  relocated  to  Aberdeen  Proving  Ground.  MD.  we  discovered  that 
the  Technology  Protection  Officer  was  also  not  represented  on  the  WIN-T  integrated 
product  team  process. 

The  Army  Deputy  Chief  of  Staff,  G-2/and  the  Army  Research  and 
Technology  Protection  Center 

1  he  concept  of  the  \RTPC  under  rhe  Deputy  Chief  of  Staff.  G-2.  evolved  in  August 
2000.  when  the  Chief  of  Staff  of  the  Army  asked  "How  will  we  ensure  when  wc  field 
FCS  [future  Combat  System]  Objective  f  orce  that  the  technological  overmatch 
designed -in  is  protected?"  I  hat  question  was  the  impetus  for  an  assessment  of  how  live 
Army  protects  research  and  technology,  lhc  assessment  identified  the  following 
protection  obstacles  and  deficiencies. 

•  Accountable  officials  lacked  know  ledge  about  protection  planning. 

•  Policies  were  parochial,  ambiguous,  or  contradictory 

•  Consistency  in  meeting  protection  requirements  was  lacktng 

•  No  standard  of  sufficiency  existed,  leading  to  overproUrctian  or  underprotection. 

In  response,  the  \rm>  sought  to  establish  a  consistent  process  and  standard  for 
technology  protection  by 

•  providing  lull-lime  skilled  technology  protection  support: 

■  assigning  7  ccltnology  Protection  Engineers  to  acquisition  nodes: 

•  providing  onsite  or  ‘on  request"  support  to  PMs; 

•  integrating  and  coordinating  technology  protection  efforts  of  others; 

•  continuing  mission  area  analysis  to  enable  continuous  improvement;  and 

•  assembling  functional  experts  in  program  protection,  threat  management,  foreign 
disclosure,  security,  vulnerabilitv .  and  policy:  Technology  Protection  Engineers. 1,1 
and  program  protection  architects:1 1 


The Dclersac  Security  Serv  ice.  assists  DoD  C omponcni  counterintelligence  elements  in  coordinating  ihe 
execution  of  a  counterintelligence  support  plan  ai  cleared  Defense  contractors  with  CPI;  develops  and 
conducts  training  for  DoD  and  Defense  contractor  security  personnel  regarding  CPI  protection  activities 
arid  during  the  conduct  of  regularly  scheduled  security  inspections  at  cleared  Defense  contractor  facilities, 
determine  if  then:  are  any  contractually  imposed  protection  measures  for  CPI  related  to  classified  contracts 
at  these  locations 

1  Technology  protection  engineers  nave  the  following  types  of  technical  education  ami  experience 
electrical  engineering,  mechanical  engineering,  industrial  engineering,  system  security  engineering, 
software  engineering.  acroreauriv.d  engineering  nucicar  engineering,  information  technology-,  physics,  and 
chemistry . 

'  Program  protection  architects  nave  the  follow  mg  iy  pcs  of  technical  education  and  experiences:  security . 
intelligence,  and  law  enforcement  backgrounds  protrum  protection,  information  *c cunts,  information 
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To  establish  consistency  and  to  standardize  CPJ  identification  and  protection  Army* wide, 
the  ARTPC  was  established  by  the  Deputy  Chief  of  Staff,  G-2  in  October  2002  The 
ARTPC's  purpose  is  to  ensure  that  the  RTP  planning  process  achieves  the  goal  of 
protecting  the  Army 's  CPI.  The  ASA(AL  1 )  issued  a  memorandum  that  encourages 
Ami)  acquisition  programs  to  use  the  \RTPC  in  identifying  CPI  in  their  programs  In  its 
efforts  to  support  Army  RIP  efforts,  the  AR  I  PC  has  adopted  a  360*dcgrcc  protection 
approach,  consisting  of- 

•  security  classification  guides. 

•  delegation  of  disclosure  authority  letters. 

•  a  communications  strategy. 

•  contracts. 

•  patents. 

•  operations  (including  testing). 

•  operations  security. 

•  CPI  identification. 

•  program  protection  plans,  and 

•  technology  protection  plans 

llic  \RTPC  lakes  a  best  practice  approach  in  composing  its  R  I  P  leam.s  It  integrates 
technologists,  engineers,  and  security  experts  to  assist  in  the  two  most  important  aspects 
o!  R  IP:  identification  of  CPI.  and  implementation  of  countermeasures  to  protect  CPI. 
That  the  AR1PC  has  engineers  and  iccluiologisxs  who  are  trained  in  counterintelligence 
and  security,  as  opposed  to  counterintelligence  and  security  professionals  who  receive 
training  in  engineering  and  technologies,  helps  them  heller  understand  cutting-edge 
technologies  and  the  threats  to  those  technologies  -  especially  in  developing  and 
implementing  countermeasures  to  counter  these  threats  as  early  in  the  process  as  possible. 

Areas  to  Improve  Integration,  Synchronization,  and  Optimization  for 
Maximum  Protection  of  Critical  Program  Information 

l  o  highlight  where  the  program  protection  structure  is  uncum.  the  Deputy  Chief  of  Staff, 
G-2*s  ARTPC  has  a  good  blend  of  technical  and  program  security  professionals; 
however,  their  role  is  limited  to  the  facilitation  of  CPI  identification  and  corresponding 
countermeasure  development 

The  Army  Material  Command  has  life-cycle  CPI  protection  responsibilities,  but  the 
technology  protection  officer  was  not  integrated  into  the  WIN- 1  integrated  product  team 
process,  and  although  the  Program  F.\ecutive  Office  for  Command,  Control. 
Communications  Tactical  has  comprehensive  program  protection  plan  implementation 
guidance,  the  list  of  program  protection  team  representation  does  not  include  the 
technology  protection  officer  The  Army  Materiel  Command's  lifc-cycle  protection 
efforts  would  he  enhanced  by  being  involved  in  all  aspects  of  program  protection, 
especially  sustainment  and  demilitarization. 


assurance.  classification  managenem.  pin  steal  security  nperanons  security,  count  crmtelligencc  threw 
ant  lysis,  counterintelligence  operations,  human  intelligence  law  enforcement.  special  acces,  pi  "gram 
security  personnel  security,  foreign  disc  Insure  policy,  industrial  security .  nnli-ferrorisin.  threat  analysts 
tactical  intelligence,  operational  intelligence  strategic  intelligence,  and  asset  protection. 
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Above  ail.  the  ASAt  AT  T ),  primarily  through  its  program  executive  offices  and  PMs.  has 
responsibility  for  all  aspects  of  program  execution,  to  include  security.  By  ensuring 
program  executive  offices  and  PMs  arc  cognizant  of  standardized  protection  processes 
and  their  application,  overseeing  the  protection  processes,  and  knowing  their 
responsibility  for  and  leveraging  protection  efforts,  it  will  greatly  support  the  program 
goals  of  cost,  schedule,  and  performance  when  making  security-related  decisions,  such  us 
the  application  of  countermeasures  like  anti-tamper,  the  associated  costs,  uml  the 
subsequent  effectiv  eness  ofiho.se  countermeasures 

Although  the  above  policies  highlight  the  different  roles  and  responsibilities  lor  the  Army 
to  protect  its  CPI.  the  policies  do  not  focus  on  total  integration  ol  security,  intelligence, 
and  counterintelligence  throughout  a  program’s  lifecycle.  In  its  April  29,  2009  report 
"Army  Research  and  Technology  Protection  Program:  Office  ol  the  Assistant  Secretary 
of  the  Army  (Acquisition.  Logistics,  and  Technology).”  Audit  Report  No,  A-2009-0094- 
ZB1.  the  Army  Audit  Agency  recommended  that  the  ASAt  Al  T)  issue  guidance  to 
program  executives  to:  document  determinations  that  systems  do  not  contain  CPI:  obtain 
protection  guidance  from  other  programs  that  provide  items  with  CPI.  assign 
responsibility  for  implementing  program  protection  plans:  ensure  that  Statements  of  work 
clearly  describe  the  requirements  for  contractor-  to  implement  program  protection  plans; 
develop  a  tracking  system  to  monitor  the  implementation  status  of  countermeasures: 
develop  and  issue  policy  and  procedures  for  prov iding  protection  guidance  to  users  ol 
end  items  with  C  PI.  and  |most  importantly!  ensure  dial  the  working  group  being 
established  to  develop  an  Army  regulation  to  implement  DoD  Instruction  5200.39 
address  ihe  issues  identified  in  the  audit  1  he  ASAt  A  f  T)  agreed  and  is  in  the  process  of 
implementing  the  recommendations, 

As  the  lead  for  developing  RTP  policy  lor  the  Army,  the  ASAt  Al  T ),  in  conjunction  with 
the  Army  Materiel  Command,  and  the  Deputy  Chief  of  Staff.  G-2  can  ensure  that  the 
Army's  new  RI  P  policy  standardizes  RTP  efforts,  as  well  as  clearly  delineate 
responsibilities  to  integrate,  synchronize,  and  optimize  Army  cradlc-to-gmve  efforts  ro 
protect  CPI.  Ihc  ASAt  A  IT).  through  this  process,  can  also  ensure  that  Army  efforts  to 
protect  CPI  are  closely  aligned  with  DoD  efforts  and  guidance. 

Conclusion 

Protection  activities  span  Military  Departments.  DoD  agencies,  and  beyond,  coordination 
and  integration  of  RTP  requires  Department-level  emphasis  and  involvement.  Aligning 
Army  RTP  efforts  with  ongoing  DoD  R  l  P  efforts,  as  outlined  in  DoD  Instruction 
5200.39.  wilt  allow  greater  integration  and  synchronization  across  the  Vnnv  and  Dv»D. 
Policy,  training  and  oversight  should  be  synchronized  to  allow  the  most  effective  use  of 
RTP  personnel  and  to  ensure  proper  execution  of  program  protection  plans,  from  concept 
to  demilitarizaiion 

Additionally,  the  ASA(ALl')  appoints  the  PM.  vvho  is  responsible  lor  all  aspects  of 
program  execution,  including  its  security  As  die  central  participant  for  program 
protection,  the  PM  should  have  a  complete  understanding  of  the  capabilities  that  the 
security,  intelligence,  and  counterintelligence  communities  can  provide. 

Because  the  AR I  PC  takes  a  best  practice  approach  in  the  formulation  of  its  RTP  teams,  it 
greatly  enhances  the  teams'  ability  to  pn>\  idc  assistance  in  the  two  most  important 
aspects  of  RTP  -  identification  of  CPI  and  implementation  of  countermeasures  to  protect 
CPI 
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Integrated  product  teams  could  benefit  immeasurably  from  the  unique  perspective  of  the 
ARTPC  The  ARTPC'  concept  is  also  integral  to  any  command's  tunctioas  for  executing 
R 1 1’  integration  and  synchronization  of  CPI  countermeasures  from  cradle  to  grave 

As  the  Army  s  materiel  developer,  the  Army  Materiel  Command  has  responsibility  for 
R  IP  support  to  all  Army  organizations  executing  RDA  across  the  materiel  lifecycle. 
Moreover,  with  the  dedicated  RTP  support  provided  by  the  ARTPC  and  the  Army 
Materiel  Command,  G-2.  specifically  with  the  Technology  Protection  Fnginecrs  and 
technology  protection  officers,  the  I'M  could  ensure  that  they  are  optimizing  the  available 
RTP  support  to  the  greatest  extent  possible  I  lowcvcr,  this  does  not  occur  in  a  concerted 
and  deliberate  manner.  The  ASA(AL  It.  Army  Materiel  Command,  and  Deputy  Chief  of 
Stalf,  G-2  must  ensure  that  their  RTP  efforts,  policy,  and  training  are  integrated, 
synchronized  and  optimized,  and  arc  aligned  with  f)oD  efforts. 

Recommendations,  Management  Comments,  and  Our 
Response 

A.  We  recommend  that  the  Assistant  Secretary  of  the  Army  for  Vcquisirion. 
Logistics,  and  Technology,  in  conjunction  w  ith  the  Commanding  General,  Vrmy 
Materiel  Command,  and  the  \rmy  Deputy  Chief  of  Staff.  G-2.  review  and  develop  a 
plan  of  action  that  will  result  in  the  most  efficient  and  effective  means  to  integrate, 
synchronize.  and  optimize  research  and  technology  protection  efforts  for  the  Army. 

Management  Comments 

On  behalf  of  the  Commanding  General.  Army  Materiel  Command  and  the  Army  Deputy 
Chief  of  Staff,  G-2.  the  Assistant  Secretary  of  the  Army  for  Acquisition.  Logistics,  and 
Technology  concurred  with  the  recommendation.  The  Assistant  Secretary  of  the  Army 
tor  Acquisition.  Logistics,  and  Technology  with  input  from  the  Army  Deputy  Chief  of 
Staff  .  G-2.  the  Army  Research  and  Technology  Protection  Center,  and  the  Army  Materiel 
Command  G-2  are  developing  an  Army  regulation  that  will  address  research  and 
technology  protection  responsibility  to  ensure  Army  programs  properly  identify  critical 
program  information  and  implement  countermeasures  to  effectively  present  compromise 
of  critical  program  information.  The  Assistant  Secretary  of  the  Anny  for  Acquisition. 

I  ogislics.  and  Technology  expects  to  publish  the  regulation  by  December  i5.  2010 

Our  Response 

I  he  consolidated  comments  of  the  Assistant  Secretary  of  the  Army  for  Acquisition 
I  ogistics.  and  Technology,  the  Commanding  General,  Army  Materiel  C  ommand.  and  the 
Army  Deputy  Chief  of  Staff.  G-2  are  responsive  and  meet  Lhe  intent  of  the 
recommendation.  Please  provide  us  a  draft  ot  the  regulation  prior  to  issuance 
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Finding  B.  The  Army’s  Warfighter 
Information  Network  -  Tactical  Program’s 
Efforts  to  Protect  Critical  Program 
Information 


Within  (lie  framework  of  the  eiglu  issue  areas,  we  assessed  program  protection  efforts  for 
standardization  of  CPI  protection  processes  and  their  application,  oversight  of  the  CPI 
protection  process  and  its  implementation,  and  responsibility  for  the  protection  of  CPI. 
using  the  Ami\ ‘s  WIN- 1  as  a  program  of  record  case  study.  Recent  DoD  issuances  such 
as  DoD  Instruction  5200.39,  were  the  primary  assessment  tool  for  this  pilot  and  have 
established  a  good  framework  for  RTP.  I  low  ever,  and  in  spite  of  demonstrated  best 
practices,  efforts  arc  noi  I'ulh  integrated,  synchronized,  and  optimized  to  the  greatest 
extent  possible  and  do  not  provide  standardized  efforts  to  protect  CPI  across  the 
Department  We  found  the  following: 

•  Areas  of  existing  issuances  need  to  be  enhanced:  new  guidance  needs  to  be 
crafted,  such  as  guidance  for  anti-tamper  measures:  and  the  DoD  CPI  protection 
manual  containing  detailed  measures  for  RTP  should  be  promulgated. 

•  Guidance  should  be  established  lor  identifying  commercial  off-fhe- 
shdf/govemmcnt  off-the-shelf  components  as  critical  program  information,  to 
include  assessment  tools  and  training. 

•  Standardized  guidance  for  training  in  CPI  protection  should  be  developed  for  use 
by  the  R  TP  community. 

•  Guidance  should  bo  prov  ided  on  model  contract  language  in  support  of  program 
protection  planning  to  DoD  and  Component  R 1 P  official  v 

•  Guidance  should  be  dev  eloped  that  describe.'. 

o  what  can  and  should  be  contained  in  the  DD  Form  254,  "Department  of 
Defense  Contract  Security  Classification  Specification,”  for  the  protection 
of  controlled  unclassified  CPI. 

o  how  program  protection  should  be  implemented  at  the  level  of 
subcontractors,  and  how  to  verify  contractor  compliance  with  the 
DD  Form  254  and  the  program  protection  plan 

•  Security  requirements  for  contractor'-  processing  CPI  on  non-DoD  information 
systems  should  he  developed  and  published. 

•  The  appropriateness  of  using  the  Secret  Internet  Protocol  Router  network  as  the 
host  tor  the  horizontal  protection  database  should  be  determined. 

Issue  Area  One:  Ability  to  Identify  Critical  Program 
Information 

We  assessed  this  issue  area  to  determine  whether  published  guidance  for  the 
identification  of  CPI  is  relevant  to  and  adhered  to  by  program,  security,  intelligence,  and 
counterintelligence  personnel.  We  also  sought  to  determine  whether  there  was  a 
working-level  integrated  product  team  to  assist  with  and  collaborate  on  the  identification 
of  CPI.  If  so.  we  w  anted  to  assess  how  the  mi&rion.  composition,  and  effectiveness  of  the 
working  level  integrated  product  team  contributed  to  the  identification  of  CPI  and 
whether  the  working-level  integrated  product  team  performed  a  functional  decomposition 
of  the  program  or  system.  Wc  determined  that  the  WIN-T  program  office  had  an 
effective  process  for  identifying  CPI, 
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DoD  Instruction  5200.39  stales  that  the  l'SD(Al&L)  should 


•  lead  the  effort.  in  collaboration  with  the  Under  Secretary  of  Defense  <  Intelligence) 
and  the  Assistant  Secretary  of  Defense  (“Networks  and  Information 
lntegratiom/DoD  Chief  Information  Officer,  to  establish  a  consistent  process  for 
the  identification  and  protection  of  CPI  that  lakes  into  account  the  role  that 
research,  development,  acquisition,  counterintelligence,  intelligence,  security,  and 
systems  engineering  personnel  perform; 

•  provide  direction  and  management  ov  ersight  for  the  identification  and  protection 
of  CPI  for  RDA  programs  under  the  cognizance  or  oversight  of  the  l  SIX  A 1  <kl_  >; 

Because  of  the  current  definition  of  CPI  in  DoD  Instruction  5200.39.  guidance  tluu 
clarifies  ihui  CPI  can  be  either  critical  technology  or  functionality.  WIN-1  did  not 
identity  CPI  at  the  outset,  but  recently  identified  CPI  in  its  latest  CPI  identification 
integrated  product  team  process 

Warfighter  Information  Network  -  Tactical  Integrated  Product  Team. 

\S  LN- 1  program  management  office  personnel,  scr\  ing  on  an  integrated  product  team 
with  representatives  from  the  AR  I'PC.  prime  and  subcontractors,  the  National  Ground 
Intelligence  Center,  and  902"J  Military  intelligence  Group,  conducted  a  CPI  assessment 
of  the  WIN-T  Increments  2  and  3  beginning  January  20  and  ending  Jan  uurv  29.  2009. 

The  team  comprised  systems  engineering,  information  assurance,  engineering 
management,  and  software  engineering  experts.  We  did  not  find  that  science  and 
tccimology  expertise  was  represented  on  the  team  The  ARTPC  facilitated  the  process, 
focusing  on  the  WIN-1  network's  functionality  and  architecture  and  on  the  design 
modifications  required  to  implement  the  WIN-T  network  integration  of  commercial  off- 
the-shelf.  Government  off-the-shdl.  and  custom  items.  Hie  integrated  product  team 
assessed  all  items  configured  under  WIN-!  incretnents2  and  3.  using  the  ARTPC  CPI 
tool.13 

On  l  ebruarv  11.  2009,  the  Acting  ASA<  A  IT)  published  a  memorandum.  “Identification 
and  Protection  of  Critical  Program  Information  (CPI).’’  staling  that  PMs  w  ill  use 
integrated  product  teams  comprising  program,  technical,  systems  engineering, 
counterintelligence,  intelligence,  and  security  experts  to  assist  in  identify  ing  CPI. 

The  WIN-T  program  used  a  cross-discipline  integrated  product  team  that  included 
sy  stems  engineers,  demonstrating  that  the  DoD  Instruction  5200.39  requirement  for 
cross-discipline  teams  is  already  proving  effective,  However,  the  reason  for  lack  of 
science  and  technology  participation  should  be  explored  and  rectified,  either  through 
clarification  in  the  forthcoming  program  protection  manual  or  through  training  or 
guidance. 


Hi.-  Milium.  Intelligence  Group  and  Vaimnal  Ground  Intelligence  Center  jt-  elements  of  llic  t  s 
Army  Intelligence  and  security  Command.  which,  dung  with  the  AR  1  PC. .  arc  en_mcnis  . >f  Die  U.S.  Army 
Deputy  Chief  of  Staff  for  Intelligence  (G--  >. 

I  lie  ARTPC  loot  i>.  a  survey  tool  that  guides  the  user  Through  a  series  of  questions  to  ascertain  whether 
the  program  potentially  contains  critical  program  inliirmaiion. 
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Warfighter  Information  Network  -  Tactical  and  Anti-tamper.  The  March 
2004  Government  Accountability  Office  Report.  "DoD  Needs  to  Better  Support  Program 
Managers*  Implementation  of  Anti-Tamper  Protection.”  identified  defining  critical 
technology  as  the  first  step  and  the  basis  for  determining  Lhe  need  for  aati-tampcru 
countermeasures.  1  he  anti-tamper  section  of  Chapter  8  of  the  Defense  Acquisition 
Guidebook  states  that  PMs  should  develop  and  implement  anti-tamper  measures  to 
protect  CPI  m  I  S  ddboff  systems  developed  using  co-devclnpmeni  agrecments^sold  to 
remmenK  or  removed  from  <  S  control  throuch 


I  I 

I  I 

I  I 


I  I 


I  I  I 


In  its  January  2008  report  "Department  v-uk  Direction  is  Needed  for  Implementation  of 
Anti -Tamper  Policy  “  the  Government  Accountability'  Office  recommended  that”  the 
Secretary  of  Defense  direct  the  Under  Secretary  of  Defense  (Acquisition.  Technology, 
and  Logistics)  in  coordination  with  the  \nii-  Tamper  Lxccutivc  Agent  and  the  Lndcr 
Secretary  of  Defense  ( Intelligence),  to  issue  department-wide  direction  for  application  ot 
its  antt-ramper  policy  thui  prescribes  how  to  carry  out  the  policy  and  establishes 
definitions  for  critical  program  information  and  critical  technologies  " 


In  its  response  DoD  non-coneurred.  stating  that  "  1  lie  L  SDt.I  I  is  die  office  of  primary 
responsibility  for  DoD D|i motive]  5200.39,  '"Security  ,  Intelligence  and 
Counterintelligence  Support  ro  Acquisition  Program  Protection."  and  its  successor, 
DoDI[nstruction]  5200.39,  "Critical  Program  Information  (CPI)  Protection  within  the 
Department  of  Defense."  L  SD(I)  is  currently  coordinating  an  update  to  the  directive. 

The  Anti-Tamper  Executive  Agenr  has  proposed  the  incorporation  ol  anti-lumper  policy 
in  this  revision  The  considered  policy  for  jnti-tamper  mandates  '  For  critical 
technology  ty  pe  CPI.  employ  appropriate  anti-tamper  during  the  RDA  process  unless 
waived  in  writing  by  Ml)  A  or  equivalent "  Following  the  issuance  of  tne  updated  DoDI 
5200.39.  the  Department  will  revise  the  DoD  5200. 1 -VI,  "Acquisition  Systems 
Protection,  the  implementing  manual  for  the  directive  which  provides  the  execution 
standards  and  guidelines  to  meet  the  DoDI  5200.39  policy  The  Anti- 1  amper  Executive 
Agent's  plan  is  to  include  a  new  section  in  the  manual  that  is  explicitly  for  anti -lam  per 
This  will  describe  how  to  implement  anti-tamper  to  protect  technology  C’PI  lor  U.S, -only 
cases,  foreign  military  sales  direct  commercial  sales,  and  science  and  technology 
programs." 


'  Ami-tamper  measures  nrtcr  in  the  systems  engineering  acri vines  intended  in  prevent  oi  delay  exploitation 
ot' critical  technologic*  in  IS  weapons  systems  I  hese  activities  involve  the  entire  lifecycle  of  systems 
acquisition,  including  research,  design.  development.  implementation,  .md  testing  uni-utnper  measures 
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Warfighter  Information  Network  -  Tactical  and  Commercial  OfF-the- 
Shelf/Covernment  Off-the-Shelf 


Another  issue  was  commercial  off-the-shelf  components  as  CFl  camli dates  \’o  guidance 
•in  commercial  off-the-shelf  components  and  corresponding  protection  mechanisms 
appears  in  DoD  Instruction  5200.39  or  in  chapter  eight  of  the  Defense  Acquisition 
Guidebook.  Critical  program  information  assessment  tools,  guidance,  and  training 
should  be  reviewed  and  modifications  should  be  considered  to  address  identification  of 
commercial  off-the-shelf  components  as  CFl. 

I  he  guidance  should  allow  the  possibility  that  commercial  off-the-shelf  components  are 
CPI  or  that  the  commercial  off-the-shelf  components'  functionality  is  so  critical  to  rhe 
CPI  functionality  that  the  countermeasure  ( for  example,  anti-tamper  packaging  or  supply 
chain  risk  mitigation!  is  best  applied  to  the  commercial  off-thi>shelf  component. 

The  USDfA  I  A:  L I  and  the  1  nder  Secretary  of  Defense  (Intelligence)  .ire  leading  working 
groups  (see  Appendix  D)  on  initiatives  to  improve  the  protection  of  CFl  and  develop  a 
standardized  process  lor  identify  ing  CFl  and  associated  countermeasures,  to  include  anti- 
tamper.  In  addition,  the  I.  ndcr  Secretary  of  Defense  (Intelligence!  is  leading  efforts  to 
ensure  a  CFl  identification  tool  is  being  incomorated  in  a  forthcoming  CPI  protection 
manual.  Standardizing  the  process  for  identifying  CPI  will  ultimately  minimize 
subjectivity. 

Conclusion 

WTN-T  program  office  staff’ had  an  effective  pn>cess  for  identifying  CPI  lhe  process 
used  an  integrated  product  team  and  the  AR  l  PC  The  USD(  Al  <CL )  and  the  Under 
Secretary'  of  Defense  (Intelligence)  arc  leading  working  groups  (see  Appendix  D)  formed 
to  improve  the  protection  of  CPI  by.  among  other  things,  developing  .1  standardized 
process  for  identify  ing  CPT. 


IOASA  ALT  -  (b)(5) 


Critical  program  information  assessment  tools,  guidance,  and  training  should  bc- 
reviewed,  and  modifications  should  be  considered,  to  address  identification  of 
commercial  olf-ihc-shclf components  as  CFl  l  he  guidance  should  allow  the  possibility 
that  commercial  off-lhe-shelf  components  are  CFl  or  that  the  commercial  off-the-shelf  ’ 
component's  functionality  is  so  critical  to  the  CPI  functionality  that  the  countermeasure 
( for  example,  anti-tamper  packaging  01  supply  chain  risk  mitigation)  is  best  applied  to  the 
commercial  off-the-shelf  component 
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Recommendations,  Management  Comments,  and  Our 
Response 

Bl-l.  We  recommend  that  the  U  nder  Secretary  of  Defense  for  Acquisition, 
Technology  ,  and  Logistics,  in  consultation  with  the  l  ndcr  Secretary  of  Defense  for 
Intelligence,  the  Assistant  Secretary  of  Defense  (Networks  and  Information 
lntegration)/DoD  Chief  Information  Officer,  and  Component  KIP  officials 
promulgate  anti-tamper  policy  that  ensures  that  anti-tamper  countermeasures  are 
considered  early  in  the  identification  process,  arc  standardized,  and  cun  be 
integrated  throughout  the  Department. 


Management  Comments 


The  U  nder  Secretory  of  Defense  for  Acquisition.  Technology,  and  1  ogistics.  the  Under 
Secretary  of  Defense  for  Intelligence,  and  the  Assistant  Secretary  of  Defense  (Networks 
and  Information  Integrum  >n  i  DoD  ihicl  Inlimnalion  Officer  concurred  with  ihc 
recommends 


Our  Response 

The  comments  of  the  Under  Secretary  of  Defense  for  Acquisition.  I  ethnology,  and 
Logistics,  the  Under  Secretary  of  Defense  for  Intelligence,  ami  the  Assistant  Secretary  of 
Defense  (Networks  and  Information  Integration  >  DoD  Chief  Information  Officer  arc 
partially  responsive  in  meeting  the  intent  of  the  recommendation  Although  the  draft 
DoD  Manual  5200.39-M,  ’‘Procedures  for  Critical  Program  Information  Protection 
Within  the  Department  of  Defense."  is  in  the  formal  coordination  stage,  throughout  this 
report  organizations  make  reference  to  the  draft  manual  as  containing  the  resolution  to 
our  recommendations.  As  the  proponent  tor  the  manual,  the  Under  Secretary  of  Defense 
for  Intelligence  should  provide  a  date  when  the  draft  manual  will  he  completed 
Additionally,  if  the  Under  Secretary  of  Defense  for  Acquisition.  Technology,  and 
L  ogistics  believes  that  the  formal  coordination  process  for  the  draft  manual  will  prevent 
timely  guidance  from  reaching  program  protection  officials,  then  steps  should  be  taken  to 
provide  interim  guidance,  such  as  a  policy  letter  or  directive  type  memorandum,  ro  ensure 
timely  deliv  ery  of  atlti -tamper  guidance.  Guidance  that  provides  consistency  across  the 
Department  and  ensures  anti-tamper  is  considered  early  will  also  save  money  by 
alleviating  the  need  to  pay  for  costly  anti-tamper  countermeasures  later  in  the  program's 
development. 
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lil-2.  We  recommend  that  the  Under  Secretary  of  Defense  for  Acquisition, 
Technology,  and  Logistics  establish  guidance  for  identify  ing  commercial  off-thc- 
shclf/govenimenf  off-the-shelf  components  as  critical  program  information,  to 
include  assessment  tools  and  training  efforts. 

Management  Comments 

The  Under  Secretary  of  Defense  for  Acquisition,  technology,  and  I  ogistics  concurred 
with  I  he  recommendation. 

Our  Response 

1  he  comments  of  the  Under  Secretary  of  Defense  for  Acquisition.  Technology,  and 
I  ogistics  are  partially  responsive  in  meeting  the  intent  of  the  recommendation  1  he 
Undersecretary  of  Defense  for  Acquisition.  Technology,  and  Logistics  should  provide 
an  action  plan  and  a  date  for  establishing  the  guidance  for  identifying  commercial  off- 
thc-shclUgovcmment  off-the-shelf  components  as  critical  program  information,  to 
include  assessment  tools  and  associated  training  efforts. 
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Issue  Area  Two:  Effectiveness  in  Developing  and 
Implementing  a  Program  Protection  Plan 

We  assessed  this  area  10  determine  whether  published  guidance  for  the  planning  ol 
program  protection  is  relevant  and  adhered  to  by  program,  intelligence, 
counterintelligence,  and  security  personnel  and  to  ensure  that  program  protection 
planning  was  in  accordance  with  DoD  Instruction  5200.39.  Because  the  WIN- 1  program 
office  had  not  completed  its  program  protection  plan;  we  arc  unable  to  assess  the  plans 
effectiveness. 

DoD  Instruction  5200.39  states  that  it  is  DoD  policy  to  require  that  contracts  supporting 
RDA  programs  where  CPI  has  been  identified  contain  language  requiring  the  contractor 
to  protect  the  CPI  to  DoD  standards.  DoD  Instruction  5200.39  also  states  that  the 
USDlAT&L)  should: 

•  require  a  program  protection  plan  tor  all  RDA  programs  with  CPI  within  the 
purview  of  the  L  SD(  AT&T)  and  establish  procedures  outlining  the  program 
protection  plan  development  and  approval  process  in  coordination  with  tire  Under 
Secretary  of  Defense  (Intelligence  t.  the  Assistant  Secretary  of  Defense  (Networks 
and  Information  Integration) /DoD  Chief  Information  Officer,  the  Under  Secretary 
of  Defense  (Policy  ),  and  the  DoD  Components,  and 

•  lead  the  collaboration  with  the  Assistant  Secretary  of  Defense  (Networks  and 
Information  Integration):  DoD  Chief  Information  Of  ficer  and  the  DoD 
Components  for  review  of  major  Defense  acquisition  programs*  program 
protection  plans  for  sufficiency  before  their  Defense  Acquisition  Board  milestone 
decision  reviews  and  at  major  acquisition  strategy  updates. 

1  he  program  protection  plan  is  used  to  develop  tailored  protection  guidance  for 
dissemination  and  implementation  throughout  the  program  for  which  it  is  created  The 
layering  and  integration  of  the  ^elected  protection  requirements  documented  in  a  program 
protection  plan  provide  for  the  integration  and  synchronisation  of  CPI  protection 
activities  l  he  following  are  considered  key  elements  of  a  progrant  protection  plan  and 
arc  tailored  to  meet  the  requirements  of  a  RDA  program: 

•  technology  and  project  description  or  system  and  program  description,  with  an 
emphasis  on  what  is  unique,  as  the  foundation  for  identifying  CPI; 

•  list  of  CPI  to  be  protected  in  the  program  (this  generally  describes  classified  CPI 
in  an  unclassified  manner  and  is  not  suitable  for  hori/uniai  protection  analy  sis  or 
the  preparation  of  a  counterintelligence  assessment); 

•  threats  to  CPI; 

•  foreign  threats: 

•  a  summary  of  the  counterintelligence  assessment  (the  full  report  is  an  attachment 
to  the  plan); 

•  vulnerabilities  of  CPI  to  identified  threats; 

•  countermeasures  (all  disciplines.  ;ls  appropriate): 

•  counterintelligence  support  plan: 

•  anti-tamper  annex; 

•  operations  security  plan: 

•  system  assurance; 

•  technology  assessment,  control  plan; 
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classification  guides, 
protection  costs;  and 
follow-on  support 


The  February  i  I.  2CKJ9  memorandum.  “Identification  and  Protection  of  Critical  Program 
Information  (CHI)."  published  by  the  Acting  \SA(ALT),  states  that  program 
management  offices  should  seek  the  services  offered  by  the  ARTPC  in  developing 
protection  countermeasures. 


OASA  ALT  -  (bX5) 


IOASA  ALT  -  (b)(5) 


e  recommend  the  Army  Audit  Agency's  April  29.  2009  report  ‘  Army  Research  and 
Technology  Protection  Program;  Office  of  the  Assistant  Secretary  ot  the  Army 
[Acquisition.  1  o in  sties,  ana  lechnoi.  ifl  i  \udit  Reoon  No.  \-2(M>9-o()oa- /LU.  to 


In  addition,  and  is  written  in  the  Program  Lxcculive  Office  Command.  C  ontrol, 
Communications  1  niticaTs  Program  Protection 
guidance,  the  I 
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Publishing  guidance  that  provides  model  contract  language  would  make  it  easier  lot 
prcigr.mis  to  contract  for  CPI  protection.  Program  management  ollices  should  do  the 
following: 

•  provide  the  Defense  Security  5er\  ice  with  the  program  protection  plan  and  the 
program  office’s  specific  requirements  Ibr  the  cleared  contractor  and  the  related 
documents  for  the  protection  of  C  PL  a  list  of  the  related  counterintelligence  and 
security  risks  to  the  contractor,  and  a  copy  of  the  relevant  counterintelligence 
supporr  plan: 

•  ensure  that  contracts  require  the  prime  contractor  to  participate  ;n  the 
identification  of  CPI  and  to  implement  countermeasures  for  identified  CPI  at 
contractor  facilities; 

•  ensure  contracts  and  DD  I  orms  254  include  clauses  authorizing  certain 
Government  personnel  access  to  prime  contractor  and  subcontractor  facilities  to 
conduct  surveys,  assessments,  inspections,  and  investigations  as  necessary  to 
make  sure  CPI  is  properly  protected:  and 

•  include  language  in  contracts  that  die  prime  contractor  must 

communicate  program  protection  requirements  to  subcontractors  that  will 
have  access  to  or  will  be  providing  CPI. 

require  subcontractors  to  continually  monitor  protection  measures,  and 
■  monitor  the  subcontractors’  performance  monitoring 

Conclusion 

Once  the  \\  IN  - 1  program  protection  plan  is  complete,  and  as  outlined  in  the  Arms  Audit 
Agency  reports  and  Program  l_\cctitive  Office  Command,  Control.  Communications 
radical’s  Program  Protection  Plan  policy  and  implementation  guidance,  the  WIN-T  PM 
should  fully  implement  countermeasures  articulated  in  the  program  protection  plan, 
meeting  specific  milestone  dates  for  ilieit  implementation:  develop  a  tracking  system  for 
monitoring  the  implementation  of  the  countermeasures,  conduci  site  visits  to  assess  the 
contractor'  s  implementation  of  the  countermeasures:  and  use  the  results  of  the  site  visits 
to  evaluate  the  effectiveness  of  the  countermeasures.  The  WIN-1  PM  should  also  require 
the  contractor  to  prepare  a  program  protection  implementation  plan  to  inform  the  WIN-T 
program  management  office  how  the  contractor  intends  to  protect  CPI  and  implement  the 
countermeasures  articulated  in  the  program  protection  plan.  Providing  contract  language 
in  guidance  would  make  it  easier  fin  the  program  management  office  to  contract  for  C  PI 
protection.  Defense  Security  Service  personnel  were  not  aware  that  CPI  resided  within 
the  prime  contractor’s  and  subcontractors’  facilities  because  CPI  was  not  identified  in  the 
DD  1  orm  254  provided  to  cleared  contractors.  The  Defense  Security  Service  should  be 
provided  a  copy  of  the  program  protection  plan  and  the  program  office’s  specific 
requirements  for  the  cleared  contractor  and  the  related  documents  for  the  protection  of 
C’P!  and  the  DD  Form  254  should  retlect  the  information  needed  to  protect  C  PI 
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Recommendations,  Management  Comments,  and  Our 
Response 

B2-1.  We  recommend  that  the  Under  Secretary  of  Defense  for  Acquisition, 
Technology,  and  Logistics  provide  guidance  on  mode)  contract  language  in  support 
of  program  protection  planning  to  DoD  and  Component  RTF  officials. 

Management  Comments 

Hie  Under  Secretary  of  Defense  for  Acquisition.  1  echnology.  and  I  ogi sties  concurred 
with  the  recommendation 

Our  Response 

The  comments  ol  die  l  ndev  Secretary  of  Defense  for  Acquisition.  Technology,  and 
Logistics  are  partially  responsive  in  meeting  the  intent  of  the  recommendation.  The 
Under  Secretary  of  Defense  for  Acquisition  Technology,  and  Logistics  should  provide 
an  action  plan  and  a  date  for  establishing  the  guidance  on  model  contract  language  in 
support  of  program  protection  planning 

As  a  result  of  management  comments,  wc  redirected  Recommendation  B2-2  from  the 
Director.  Defense  Security  Service  to  the  Deputy  Under  Secretary  of  Defense  for 
IIUMFN  1 .  Counterintelligence,  and  Security 

132-2.  W  e  recommend  that  the  Deputy  I  Inder  Secretary  of  Defense  for  HI  MINT, 
Counterintelligence,  and  Security  provide  guidance  on  model  language  in  the  DD 
Form  254,  in  order  to  provide  the  Defense  Security  Serv  ice  with  the  information 
they  need  to  protect  critical  program  information. 

Management  Comments 

The  Deputy  Under  Secretary  of  Defense  hu  HU  MIN'  1 ,  Counterintelligence,  and  Security 
concurred  with  the  recommendation  to  prov  ide  guidance  on  model  language  in  the  DD 
Form  254.  in  order  to  provide  the  Defense  Security  Service  with  the  information  they 
need  to  protect  critical  program  information.  I  he  Deputy  Under  Secretary  of  Defense  for 
HirMTNT,  Counterintelligence,  and  Security  will  revise  language  in  the  draft  DoD 
Manual  5200  39-M.  to  address  both  classified  and  unclassified  CPI  by  instructing  users  to 
complete  the  Dl)  Form  254  to  ensure  that  contractors  are  advised  by  the  Program 
Manager  and  that  the  Defense  Security  Service  is  informed  of  unclassified  CPI  residing 
at  a  contract  facility. 

Our  Response 

I  he  comments  of  the  Deputy  Under  Secretary  of  Defense  for  III.)  \11N  I . 
Counterintelligence,  and  Security  are  partially  responsive  in  meeting  the  intent  of  the 
recommendation,  The  Deputy  U  nder  Secretary  of  Defense  for  I1UM1N 1 . 
Counterintelligence,  mid  Security  should  provide  a  date  for  prov  iding  model  language  in 
the  DD  Form  254  through  revision  of  the  language  in  the  draft  DoD  Manual  520039-M. 
If  the  Deputy  Under  Secretary  of  Defense  for  HIJ  MINT.  Counterintelligence,  and 
Security  believes  that  the  formal  coordination  process  for  the  draft  manual  will  prevent 
timely  guidance  from  reaching  program  protection  officials,  then  steps  should  be  taken  to 
provide  interim  guidance,  such  as  a  policy  letter  or  directive  type  memorandum,  to  ensure 
timely  delivery  of  changes  to  the  DD  Form  254 
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Issue  Area  Three:  Training  Efforts  for  the  Protection  of 
Critical  Program  Information 

We  assessed  Ibis  issue  area  10  determine  whether  published  guidance  for  training  Lo 
identify  and  protect  CPI  is  relevant  to  and  adhered  to  by  program,  intelligence, 
counterintelligence,  and  security  personnel  We  determined  dial  training  and  education 
lor  the  protection  of  CPI  was  not  tailored 

DoD  Instruction  '200  'c>  states  that  the  l  SD(AT&L)  will  eollabomie  u  ith  the  L  nder 
Secretary  of  Defense  t Intelligence)  and  the  Assistant  Secretary  of  Defense  (Networks  and 
Information  Integration)  DoD  Chief  Information  Officer  to  require  that  appropriate 
training  be  available  to  RDA  personnel  regarding  the  identification  and  protection  of  CPI. 
1  raining  should  include  the  roles  that  RDA.  sustainment  (logistics,  maintenance,  repair, 
supply),  testing,  counterintelligence,  intelligence,  security,  systems  engineering,  and 
information  systems  security  engineering  personnel  perform  to  identify  and  protect  CPI 

While  the  amount  qf  experience  varied,  the  majority  of  the  personnel  interviewed  had 
many  years  of  experience  on  major  weapon  system  acquisition  programs  However,  the 
level  of  training  related  to  CPI  protection  varied  There  were  personnel  with  no  training, 
those  with  training  acquired  on  the  job.  and  others  with  attendance  at  training  offered  by 
the  RDA  program  support  organization. 

The  level  1  and  2  acquisition  courses  at  the  Detense  Acquisition  l  Jniversity  minimally 
address  counterintelligence,  intelligence,  and  security  support  to  R 1  P.  However,  to 
ensure  that  program  personnel  have  a  better  understanding  of  R  I  P  support,  the  ARTPC 
offers  and  conducts  acquisition  program  protection  training  for  its  research  and 
technology  community  The  training  entails  a  review  of  the  program  protection  process, 
including  the  CPI  assessment  and  the  generation  of  the  technology  protection  plan  and 
program  protection  plan  The  Defense  Security  Sen  ice  is  designing  a  CPI  course  for 
DoD  contractors  and  Government  security  officers  that  is  scheduled  to  be  ready  at  the 
end  of  2010. 

1  he  Joint  Counterintelligence  Training  Academy  offers  counterintelligence  support  to 
RTP  training  and  provides  advanced  counterintelligence  training  to  I  Jetense 
counterintelligence  components.  The  Academy  also  provides  training  to  oilier 
intelligence  community  personnel  on  a  limited  basis.  However,  the  counterintelligence 
support  lo  RTP  training  is  not  structured  for  non-counterintclligcnce  personnel,  who 
typically  provide  a  large  share  of  the  RTP  support  to  PMs 

Conclusion 

1  here  was  no  tailored  CPI  protection  training  Intelligence  and  security -related  training 
for  the  protection  of  CPI  is  uneven  1  raining  tailored  to  participants’  roles  needs  to  be 
developed  and  made  available  by  the  organization  most  able  to  deliver  it  effectively  and 
efficiently  Research,  development,  and  acquisition  program  support  organizations,  the 
Defense  Acquisition  l  mversiry,  and  the  Defense  Security  Service  should  he  considered 
delivery  mechanisms  for  training. 
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Recommendations,  Management  Comments,  and  Our 
Response 

113.  We  recommend  that  the  Under  Secretary  of  Defense  for  Acquisition, 
Technology,  and  Logistics,  in  collaboration  with  the  Under  Secretary  of  Defense  for 
Intelligence,  and  the  Assistant  Secretary  of  Defense  (Networks  and  Information 
lntegration)/DoD  Chief  Information  Officer  develop  standardized  guidance  for 
training  in  CPI  protection  for  use  by  the  RTP  community. 

Management  Comments 

I  he  Under  Secretary  of  Defense  for  Acquisition,  Technology,  and  Logistics  partially 
concurred,  while  the  Under  Secretary  of  Defense  for  Intelligence,  and  the  Assistant 
Secretary  of  Defense  (Networks  and  Information  Integration).  DoD  Chief  Information 
Officer  concurred  w  ith  the  recommendation  to  develop  standardized  guidance  for  training 
in  CPI  protection  for  use  by  the  RIP  community.  The  Under  Secretary  ofDefen.se  Ibr 
Acquisition,  Technology,  and  Logistics  agreed  to  develop  standardized  guidance  and 
training,  inclusive  of  a  broader  scope  of  protection  for  the  program  protection 
community,  not  only  the  RTP  community,  stating  that  RIP  does  not  include  the  new 
requirements  to  protect  elements  or  components  critical  10  network  or  mission 
effectiveness  in  DoD  Instruction  5200.39. 

Our  Response 

lhe  comments  of  the  Under  Secretary  of  Defense  for  Acquisition.  Technology,  and 
Logistics,  the  Under  Secretary  of  Defense  for  Intelligence,  and  the  Assistant  Secretary  of 
Defense  (Networks  and  Information  integration  )/DoD  Chief  Information  Officer  are 
partially  responsive  in  meeting  the  intent  of  the  recommendation.  The  T  Inder  Secretary 
of  Defense  for  Acquisition.  Technology,  and  Logistics  should  provide  a  date  for 
developing  standardized  guidance  lor  training  in  CPI  protection  for  use  by  the  program 
protection  community . 
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Issue  Area  Four:  Use  of  Resources  for  the  Protection  of 
Critical  Program  Information 

We  assessed  this  issue  area  to  determine  whether  program,  intelligence, 
counterintelligence,  and  security  personnel  a  ligned  to  protect  CPI  arc  appropriately 
used. 


1ASA  ALT  -  (b)(4) 


For  the  WIN-1  program,  it  appeared  that  the  Deputy  Chief  of  Staff.  G-2.  provided 
adequate  support  through  the  902'"1  Military  Intelligence  Group,  the  Arm\ 
l  ounterintclh _  .o'er,  the  National  i.noind  Iriioll'uenee  Center,  and  die  ARTPC. 


)ASA  ALT  -  (b)(5) 


IOASA  ALT  -  (bX4),  (bK5) 


Conclusion 

WTN-T  did  not  track  or  report  program  protection  or  security -related  expenditures. 

1  racking  and  reporting  these  expenditure',  assist  program  management  offices  with 
budget  projections  for  security  throughout  the  program  and  with  measuring  the  return  on 
the  security  expenditures. 


OASA  ALT  -  (b)(5) 


Because  of  the  many  organisations  we  visited  as  pari  or  this  broad  assessment  and  the 
level  of  depth  needed  to  fully  assess  this  issue  area:  and  because  we  are  conducting  an 
assessment  10  determine  how  the  Department  tracks  security  costs.  \vc  make  no 
recommendations  for  this  issue  area. 
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Issue  Area  Five:  Effectiveness  of  Policies  to  Protect 
Critical  Program  Information 

We  assessed  this  issue  area  lo  determine  whether  published  guidance  for  the 
identification  and  protection  of  CPI  is  relevant  to  and  adhered  to  by  program, 
intelligence,  counterintelligence,  and  security  personnel.  We  primarily  assessed  RTP 
efforts  using  DoD  Instruction  5200  39;  however,  many  issuances,  covering  many  subject 
areas,  and  coming  from  many  agencies,  that  address  RTP  There  are  145  policies  that  an 
acquisition  program  may  need  to  comply  with  the  \asr  amounts  ol  policy  related  to 
program  protection  A  hy  perlinked-1 1 1  NIL  \  crsion  of  a  chart,  developed  by  the  Office  of 
Systems  Analy  sis,  in  the  Systems  Engineering  Directorate,  overseen  by  the  Director  of 
Defense  Research  and  Engineering,  in  the  office  of  the  I  SDtAT&L).  depicting  the 
policies  can  he  found  at  http:  vvww.acq.osd  mil  ssc.'docs'aeQ-secuntv-oolicv- 
Uiol/index.html 

Because  the  number  ol  policies  is  so  vast,  they  require  a  more  in-depth  analysis  than  this 
limited  scope  program  protection  assessment  pilot  offered.  As  explained  in  I  inding  A. 
the  Army  Audit  Agency  found  that  the  Army  did  not  ha\e  a  regulation  governing  RTP. 
fhc  Army  is  developing  guidance  on  RTP  It  has  established  a  working  group  that  would 
implement  the  guidance  contained  in  DoD  Instruction  5200.39  on  R I P.  as  well  as 
implement  the  recommendations  in  the  Arms  Audii  Agency  audit  related  to  protectim; 
CPI. 
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Guidance  on  this 

subject  that  is  retereneed  in  DoD  Instruction  5200.  ;9  has  yet  to  he  promulgated. 
Enclosure  2.  paragraph  4.b.  tasks  the  Assistant  Secretary  of  Defense  (Networks  and 
Information  Integration)  DoD  Chief  Information  Officer  to  "identify  minimum  security 
requirements  for  contractor  owned  and  operated  information  systems  for  the  protection  of 
CPI  ”  Directive- 1  ype  Memorandum  08-027,  “Security  of  Unclassified  DoD  Information 
on  Non-DoD  Information  Sy  stems,'  July  31  2009,  addresses  security  requirements  for 
contractors  processing  DoD  information  on  non- DoD  information  systems  and  may 
provide  a  model  for  this,  but  it  does  not  address  the  protection  of  CPI  specifically.  I  he 
appropriate  guidance  can  he  developed  and  incorporated  in  the  upcoming  CPI  protection 
manual  or  other  R I  P-relaied  issuances. 

Conclusion 

Since  December  2008.  the  Army  has  ongoing  efforts  to  develop  guidance  on  RTP  h  has 
established  a  working  group  to  implement  the  guidance  contained  tn  DoD  Instruction 
5200.39  on  RTP.  as  well  as  implement  the  recommendations  in  the  Army  Audit 
Agency's  April  29.  2009  report  “Army  Research  and  Technology  Protection  Program; 
Office  of  the  Assistant  Secretary  of  the  Arms  i  Acquisition,  Logistics  and  1  cchnology  )  “ 
Guidance  has  not  been  developed  that  specifically  addresses  the  protection  requirements 
for  CPI  on  contractor-owned  and  -operated  information  systems. 
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Recommendations,  Management  Comments,  and  Our 
Response 

B5-I.  \Ne  recommend  that  the  Assistant  Secretary  of  Defense  (Networks  and 
Information  Integration  )/T)nl)  Chief  Information  Officer,  in  coordination  with  the 
l  nder  Secretary  of  Defense  for  Acquisition,  Technology,  and  Logistics,  and  the 
t  nder  Secretary  of  Defense  for  Intelligence,  develop  and  publish  security 
requirements  for  contractors  processing  CPT  on  contractor-ow  ned  and  -controlled 
information  systems. 

Management  Comments 

The  Assistant  Secretary  of  Defense  (Networks  and  information  Integration)/ DoD  C  hict 
Information  Officer,  the  Under  Secretary'  of  Defense  for  Acquisition.  Technology,  and 
logistics,  and  the  Undersecretary  of  Defense  for  Intelligence  concurred  with  the 
recommendation  to  develop  and  publish  security  requirements  for  contractors  processing 
CPI  on  contractor-owned  and  •controlled  information  sy  stems  through  a  combination  of 
the  issuance  of  Directive  Type  Memorandum  08-027.  DoD  Instruction  5205. 1 3.  "Dc  fense 
Industrial  Base  (DIB)  Cyber  Security. 'Information  Assurance  (CS'LA)  Activities." 

January  29.  2010.  Under  Secretary  of  Defense  for  Acquisition.  Technology,  and  Logistics 
memorandum,  "Cyber  Security  in  Defense  Acquisition  Programs."  November  18.  2008. 
and  DoD  federal  Acquisition  Regulation  Supplement  Case  2008-D028,  "Safeguarding 
Unclassified  Information."  which  will  provide  the  specific  guidance  to  contracting 
officers  and  associated  clauses  to  implement  the  Directive  Type  Memorandum  in 
contracts. 

Our  Response 

The  comments  to  the  recommendation  are  partially  responsive  rn  meeting  the  intent  of 
the  recommendation.  The  Under  secretary  of  Defense  for  Acquisition.  Technology ,  and 
Logistics  should  provide  a  date  lor  the  completion  of  DoD  federal  Acquisition 
Regulation  Supplement  Ca»e  2008-LKJ28,  "Safeguarding  Unclassified  Information." 
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issue  Area  Six:  Ability  of  Counterintelligence, 
Intelligence,  and  Security  to  Support  the  Protection  of 
Critical  Program  Information 

We  assessed  this  issue  area  lo  determine  whether  published  guidance  to  enable 
counterintelligence.  intelligence,  and  security  personnel  and  programs  to  support  the 
protection  of  CPI  is  relevant  to  and  adhered  to  bv  program,  intelligence, 
counterintelligence  and  security  personnel.  We  determined  that  counterintelligence  and 
security  were  known  to  WfN-T  program  Staff  and  did  provide  required 
counterintelligence  and  intelligence  suppori  and  threat-related  data  Howes  er.  :• 
Technology  Targeting  Risk  Assessment  had  not  been  requested  W1N-T  program  staff 
were  not  aware  of  Defense  Security  Service  personnel,  and  Defense  Security  Service  was 
not  aware  of  the  existence  of’  WTK-T  CPI.  nor  was  the  existence  of  CPI  or  u  program 
point  of  contact  tor  reporting  violations  annotated  on  the  DD  Form  254 

DoD  Instruction  5200. »  states  that  the  I  Jnder  Secretary  of  Defense  (Intelligence)  will 
issue  policy  guidance  that  requires  the  heads  of  DoD  Components;  with 
counterintelligence  elements  and  organizations  to  develop  and  implement  tailored 
counterintelligence  support  plans  at  all  DoD  research  and  development  facilities,  for  all 
RDA  programs  with  C  PI,  and  at  facilities  o I  cleared  Defense  contractors  with  CPI:  to 
issue  policy  guidance  thru  requires  the  heads  of  DoD  C  omponents  with  intelligence  and 
counterintelligence  analytical  centers  to  provide  assessments  regarding  foreign 
intelligence  requirements  lor  and  targeting  of  CPI:  DoD  Component  intelligence 
analytical  centers,  in  cooperation  with  the  Defense  Intelligence  Agency,  to  provide 
Technology  Targeting  Risk  Assessments' ‘  to  assist  RDA  programs  with  mitigating  the 
risk  of  CPI  compromise  and  to  support  counterintelligence  organizations  with  developing 
counterintelligence  assessments  of  CPI;  and  directs  counterintelligence  analytical  centers 
to  provide  counterintelligence  assessments  for  R1>A  programs  with  CPI. 

Counterintelligence  suppun  personnel  were  known  to  WIN-T  program  management 
office  personnel,  participated  in  the  CPI  identification  process,  and  prepared  a 
counterintelligence  support  plan.  The  counterintelligence  suppon  plan  contained 
sufficient  detail  Tor  WIN-1  program  management  office  personnel  to  understand  the 
support  that  they  could  expect  to  receive  from  counterintelligence  support  personnel. 

Security  personnel  front  CF.COM  Life  Cycle  Management  Command.  0-2,  although  not 
embedded  in  the  WTN-T  program  management  office,  were  known  to  program  staff  and 
had  submitted  requirements  for  threat  data,  with  the  exception  of  the  T  ethnology 
largcung  Risk  Assessment.  The  CFCOM  Life  Cycle  Management  Command.  G-2.  had 
also  promulgated  the  System  Threat  Analysis  Report 


*'  Country-by-coumry  assessments  conducted  b\  the  Dclcn.se  intelligence  community  that  quantify  risks  to 
critical  program  information  and  related  enabling  technologies  for  weapons  systems,  adv  anced 
technologies  or  pre^num.  and  facilities  such  as  lubo Hilaries,  factories,  research  and  development  sites  (test 
ranges,  ere  I.  and  military  installations  The  lectmnlnyv  Targeting  Risk  Assessment  evaluates  live 
independent  risk  factors,  each  of  which  conn  I  bales  in  an  overall  risk  factor  The  fivi  areas  evaluated  j-. 
Technology  competence,  national  level  of  interest,  nsk  of  technology  diversion,  ability  c<>  assimilate,  and 
technology  protection  risk.  T  Tie  Technology  Targeting  Risk  Assessment  and  cou.’UeriiiteTigence 
assessment  prov  ide  laboratory  technical  directors  ami  PMs  with  information  required  to  establish  a 
comprehensive  security  program  tor  tl»e  prorcci ion  ol  identified  critical  program  information. 

rononicui  mroMu 

29 


In  accordance  with  DoD  Instruction  5200.39,  the  Delen.se  Security  Service  shall  assist 
DoD  Component  counterintelligence  elements  in  coordinating  the  execution  of 
counterintelligence  support  plans  at  the  facilities  of  cleared  defense  contractors  with 
cl  as  si  lied  CPI.  1  he  contract's  DD  Form  254  should  indicate  the  existence  of  CPI  so  that 
the  Defense  Security  Service  will  know  what  areas  need  enhanced  levels  of  protection. 
The  DD  Form  254  also  needs  to  identify  cleared  defense  contractors  performing  on  and 
employees'  access  to  the  locations  where  classified  C  PI  or  unclassified  CPI  relating  to 
classified  contracts  reside.  Die  Delense  Security  Serv  ice  is  developing  procedures  to 
centralize  the  receipt,  analysis,  and  dissemination  of  such  information  in  a  manner  that 
permits  maximum  control  and  use.  Defense  PMs  must  provide  the  Defense  Security 
Service  a  copy  of  the  program  protection  plan  and  counterintelligence  support  plan  to 
adequately  provide  overlapping  counterintelligence  support  to  protect  CPI  Identification 
of  all  subcontractors  performing  on  specific  programs  with  classified  l'P!  or  unclassified 
C  PI  on  classified  programs  would  improve  the  protection  of  CPI. 

Die  Defense  Security  Service  was  not  informed  of  the  existence  of  WIN-T  CPI.  It  was 
not  contained  in  the  DD  Form  254.  and  there  wits  no  communication  between  the 
Delense  Security  Service  and  WIN-T  program  office  stall.  There  should  be  better 
communication  between  the  Defense  Security  'service  and  the  prime  contractor 
Moreover,  there  is  no  place  on  the  DD  Form  254  to  state  which  subcontractors  possess 
critical  program  information  If  a  program's  DD  Form  254  specified  the  existence  of 
unclassified  critical  program  information  and  the  protection  measuies  required,  the 
Defense  Security  Service  could  include  critical  program  information  protection  in  its 
facility  inspections.  1  he  DD  Form  254  should  also  include  a  program  point  of  contact  for 
reporting  security  violations  and  counterintelligence  concerns.  While  the  WIN- 1  CPI  is 
unclassified,  DSS  during  the  conduct  of  regularly  scheduled  security  inspections  at 
cleared  Defense  contractor  facilities  determines  if  there  arc  any  contractually  imposed 
protection  measures  for  CPI  related  to  classified  contracts  at  those  locations. 

Conclusion 

Supporting  counterintelligence  and  security  personnel  were  known  to  WIN -’I  program 
management  office  personnel.  However,  the  Defense  Security  Service  was  not  informed 
of  the  existence  of  CPI.  and  the  existence  of  CPI  was  also  not  written  into  the  DD  Form 
254.  It  is  unclear  how  lower-tier  subcontractors  accomplish  program  protection  and. 
further,  how  verification  of  contractor  compliance  with  DD  Form  254  below  the  prime 
contractor  level  is  accomplished.  1  he  DD  Form  254  should  include  a  program  point  of 
contact  for  reporting  security  violations  and  counterintelligence  concerns.  While  the 
WIN-T  CPI  is  unclassified.  DSS  during  the  conduct  of  regularly  scheduled  security 
inspections  at  cleared  Defense  contractor  facilities  determines  if  there  are  any 
eontroctualh  imposed  protection  measures  Ibr  CPI  related  to  classified  contracts  at  those 
locations. 
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Recommendations,  Management  Comments,  and  Our 
Response 


As  a  result  of  management  comments,  we  redirected  Recommendation  Bo  Imm  the 
Director,  Defense  Security  Service  to  the  Deputy  Under  Secretary  of  Defense  for 
11UM1N 1'.  Counterintelligence.  jnd  Security. 

lift.  Vt'e  recommend  that  the  Deputy  Under  Secretary  of  Defense  for  HIJMIN  T, 
Counterintelligence,  and  Security  prepare  written  guidance  to  determine: 

a.  what  can  and  should  he  contained  in  the  DD  Form  254  for  the  protection 
oT  controlled  unclassified  CPI;  and 

b.  how  program  protection  should  be  implemented  at  the  level  of 
subcontractors,  and  how  to  serifs  contractor  compliance  ssith  the 
DD  Form  254  and  the  program  protection  plan. 

Management  Comments 

The  Deputy  Under  Secretary  of  Defense  lor  HUMTNT.  Counterintelligence,  and  Security 
concurred  with  the  recommendation  I  he  Deputy  Under  Secretary  of  Defense  for 
HI  ’MINT.  Counterintelligence,  and  Security  will  add  CPI  as  a  separate  littc  item  to  he 
considered  when  completing  the  form,  add  instructions  for  Program  Managers  to  include 
special  CPI  instructions,  require  the  prime  contractor  to  maintain  and  provide  authorized 
government  officials  with  updated  lists  of  all  subcontractors  participating  in  their 
contract  program  and  indicate  which  requires  access  to  classified  CPI  (and/or  require 
access  to  the  CPI  at  other  locutions)  in  conjunction  with  the  performance  of  their 
subcontracts,  identify  central  locations  at  the  Defense  Security  Service  for  lire  Program 
Office  to  provide  program  protection  plan  information  to  the  applicable  field  offices  for 
prime  and  subcontractors,  indicate  whether  contractors  needs  to  implement  specific 
technology  protection  measures  at  their  facilities.  The  Deputy  Under  Secretary  of 
Defense  for  HU  MINT.  Counterintelligence,  and  Security  will  also  include  this  guidance 
w  ithin  Enclosure  2.  "Responsibilities,  and  Fnclosure  6,  ’Contract  Requirements,"  of  the 
draft  DoD  Manual  5200.39-M 

Our  Response 

1  he  comments  of  the  Deputy  Under  Secretary  of  Defense  for  HUM1NT. 
Counterintelligence,  and  Security  are  partially  responsive  in  meeting  the  intent  of  the 
recommendation.  The  Deputy  Under  Secretary  of  Defense  for  HUM1NT 
Counterintelligence,  and  Security  should  provide  a  date  for  implementing  the  changes  to 
the  DD  form  254  described  in  response  to  our  recommendation  if  the  Deputy  I  inder 
Secretary  of  Defense  for  HUMINT,  C  ountcrintclligcnce,  and  Security  believes  that  the 
formal  coordination  process  for  the  draft  manual  will  prevent  timely  guidance  from 
reaching  program  protection  officials,  then  steps  should  be  taken  to  provide  interim 
guidance,  such  as  a  policy  letter  or  directive  type  memorandum,  to  ensure  timely  changes 
to  the  DD  Form  254. 
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Issue  Area  Seven:  Effectiveness  of  the  Foreign  Visit 
Program 

We  a^scrvsed  this  issue  area  to  determine  whether  published  guidance  for  foreign  \isits  is 
relevant  to  and  adhered  to  by  program  intelligence,  counterintelligence,  and  security 
personnel.  We  assessed  this  issue  area  because  in  a  policy  letter.  “Accountability  of 
Department  of  Defense  i  DoD)  Sponsored  Foreign  Personnel  in  the  United  Stales  (US  )," 
May  1 8.  2004,  the  Deputy  Secretary  of  Defense  requires  all  Inspectors  General  to  verify 
compliance  with  the  sponsored  foreign  personnel  policy  through  their  inspection 
processes.  We  also  assessed  this  issue  area  to  ensure  that  decisions  to  grant  foreign 
nationals  access  to  classified  and  controlled  unclassified  information  during  their  visits  to 
DoD  Component  and  cleared  contractor  lacilities  are  consistent  with  the  security  and 
foreign  policy  interests  of  the  I.  uited  States  and  DoD  Directives  5230.1 1.  5230.20.  and 
5530  3.  ’  If  there  is  to  be  foreign  involvement  in  any  aspect  of  a  program  or  foreign 
access  to  the  system  or  its  related  information,  the  program  protection  plan  should 
contain  provisions  to  deny  inadvertent  or  unauthorized  access. 


Conclusion 

Because  the  W  IN-  f  program  management  office  docs  not  ha\e  involvement  by  any 
foreign  government  or  international  organization  in  a  cooperative  development 
arrangement  ai  this  time,  we  make  no  recommendations  lor  this  issue  ansa 


10  DoD  Directive  5230.1 1,  “Disclosure  of  Clarified  Military  Information  io  Foreign  Governments  ami 
International  Organizations."  tune  10,  IW;  DoD  Directive  5230.20.  “Visits  and  Assignments  of  Foreign 
Nationals. '  June  22.  21)05:  ami  DoD  Directive  5530 J.  “International  Agreements,  June  1 1  19tP 
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Issue  Area  Eight:  Application  of  Horizontal  Protection  of 
Critical  Program  Information 

We  assessed  this  issue  area  to  determine  whether  published  guidance  for  horizontal 
protection  is  relevant  to  and  adhered  to  by  program,  security',  intelligence,  and 
counterintelligence  nersonnel.  Wc  assessed  this  issue  area  to  ensure  that  critical  Defense 
technologies,  to  include  CPI,  associated  with  more  than  one  RDA  program  are  protected 
to  the  same  degree  by  all  involved  DoL)  activities.  DoD  Instruction  5200.39  states  that  it 
is  DoD  policy  n>  conduct  comparative  analysts  of  defense  systems  technologies  and  align 
CPI  protection  activities  horizon  tally  throughout  DoD  It  also  states  that  the  l  Indcr 
Secretary  of  Defense  (Intelligence),  in  coordination  with  the  ISDi  AT&I  )  and  the 
Assistant  Secretary  of  Defense  ( Networks  and  Information  Integration )/DoD  Chief 
Information  Officer,  will  require  the  establishment  of  a  database  for  RDA  organizations 
to  record  and  track  CPI  for  horizontal  protection,  compromise,  and  analysis  purposes 

Hie  Acquisition  Security  Database,  a  hon/onud  protection  database  originally  created  by 
die  1  S  Navy,  can  provide  tbc  RTP  community  with  greater  access  to  CPI  However, 
the  Acquisition  Security  Database  is  not  used  by  all  Defense  RDA  components  Die  Air 
lorec  had  developed  its  own  horizontal  protection  database.  Use  o!  a  horizontal 
protection  database  by  the  RDA  community  would  represent  an  important  step  toward  the 
protection  of  DoD’s  CPI  Once  the  RDA  community  is  populating  a  horizontal 
protection  database.  RIP  practitioners  will  be  able  to  view  all  programs  with  similar  CPI 
to  help  ensure  consistent  RTP  support. 
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the  DoD  Instruction  5200.39  requirement  that  a  horizontal  protection  database  be  used  in 
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Conclusion 
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The  DoD 

Instruction  52U0.39  requirement  that  a  horizontal  protection  database  should  be  used  in 
support  iil  I  he  identification  of  ('PI  an  nears  to  he  ollrriive  Inr  iIih  WTNI-  t  nroornm _ 
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Recommendations,  Management  Comments,  and  Our 
Response 

As  a  result  of  management  comments,  we  redirected  the  lead  for  Recommendation  BS 
from  the  Under  Secretary  of  Defense  for  Intelligence  to  the  Under  Secretary  of  Defense 
Ibr  Acquisition,  Technology,  and  Logistics. 

BS.  We  recommend  that  the  L  nder  Secretary  of  Defense  for  Acquisition, 
Technology,  and  Logistics,  in  coordination  with  the  Under  Secretary  of  Defense  for 
Intelligence  and  the  Assistant  Secretary  of  Defense  (Networks  and  Information 
lntegration)/DoD  C  hief  Information  Officer,  determine  the  appropriateness  of  using 
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Management  Comments 

The  Under  Secretary  of  Defense  for  Acquisition,  Technology,  and  Logistics,  the  Under 
Secretary  of  Defense  for  Intelligence,  and  the  Assistant  Secretary  of  Defense  ("Networks 
and  Information  Integration  )/DoD  Chief  Information  Officer  concurred  with  the 


_ unvever.  the  Under 

Secretary  of  Defense  for  Intelligence  non-concurred  with  the  lead  being  under  their 
cognizance,  but  instead  staled  the  recommendation  should  be  under  the  cognizance  of  the 
Under  Secretary  of  Defense  ibr  Acquisition,  Technology,  and  Logistics  as  the  data 
owner.  The  Under  Secretary  of  Defense  for  Acquisition,  Technology,  and  Logistics 
agreed  Tn  compliance  with  DoD  Instruction  5200.39.  the  Under  Secretary  o (Defense  for 
Acquisition.  Technology,  and  Logistics  through  a  memorandum  of  lindermuidino  with 


I 


Our  Response 

The  comments  are  responsive  and  meet  the  intent  of  the  recommendation. 
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Appendix  A.  Scope  and  Methodology 

This  assessment  was  conducted  in  accordance  with  Quality  Standards  for  Inspections.17 
Those  standards  require  that  we  plan  and  perform  the  assessment  to  obtain  sufficient, 
appropriate  evidence  to  provide  a  reasonable  basis  for  our  findings  and  conclusions  based 
on  our  assessment  objectives.  We  believe  that  the  evidence  obtained  provides  a 
reasonable  basis  for  our  findings  and  conclusions  based  on  our  assessment  objectives. 

We  conducted  site  visits  and  a  majority  of  the  interviews  for  this  assessment  from  March 
2009  through  September  2009,  with  additional  clarifying  interviews  extending  to  the 
publication  of  this  draft  report. 

The  overall  assessment  scope  was  broad,  encompassing  DoD  counterintelligence, 
intelligence,  security,  and  program  personnel  to  protect  CPI.  We  did  not  assess  research, 
sustainment,  or  demilitarization  phases,  nor  did  we  include  special  access  programs  in  the 
scope  of  this  assessment.  Our  scope  did  not  include  Section  254  of  the  FY  2009  National 
Defense  Authorization  Act,  “Trusted  Defense  Systems.”  Section  254  requires  the  Office 
of  the  Secretary  of  Defense  to  conduct  assessments  of  selected  acquisition  programs  to 
identify  vulnerabilities  in  the  supply  chain  of  each  program’s  electronics  and  information 
processing  systems  that  potentially  compromise  the  level  of  trust  in  the  systems.  The 
Offices  of  the  USD(AT&L)  and  the  Assistant  Secretary  of  Defense  (Networks  and 
Information  Integration)/DoD  Chief  Information  Officer  led  a  detailed  effort,  in 
conjunction  with  other  DoD  elements,  to  conduct  the  vulnerability  assessments  and 
reported  to  Congress  as  required. 

For  our  methodology,  we  issued  an  overarching  announcement  letter  to  the  Department 
on  June  18,  2008,  “Assessment  of  DoD  Efforts  to  Protect  Critical  Program  Information” 
(Project  No.  D2008-DINT01-0242.000),  which  encompassed  the  eight  key  issue  areas. 
The  eight  issue  areas  related  to  CPI  identification  and  program  protection  planning 
evolved  from  a  series  of  inspections  conducted  by  the  Service  Inspectors  General  and  an 
overarching  integrated  process  team  chartered  by  the  Deputy  Secretary  of  Defense  in 
2000.  The  overarching  integrated  process  team  identified  27  tasks  that  would  enhance 
the  Department’s  ability  to  identify  and  protect  CPI,  the  effectiveness  of  the  foreign 
visitor  program,  and  the  effectiveness  of  counterintelligence  and  security  support  to 
RDT&E  facilities  and  the  acquisition  process.  We  categorized  these  27  tasks  into  the 
eight  key  issue  areas  that  are  the  objectives  of  this  pilot  and  the  subsequent  assessments. 
Within  the  framework  of  these  eight  issue  areas,  we  specifically  focused  on  and  assessed 
standardization  of  protection  processes  and  their  application,  oversight  of  the  protection 
process  and  its  implementation,  and  responsibility  for  protection.  The  eight  issue  areas 
are  the  cornerstone  issues  of  RTP  and  will  be  the  focus  of  our  future  oversight  efforts. 

On  December  12,  2008,  we  forwarded  a  letter  co-signed  by  the  DoD  Office  of  Inspector 
General,  Deputy  Inspector  General  for  Intelligence  and  the  Deputy  Under  Secretary  of 
Defense  (Acquisition  and  Technology)  to  the  Service  Acquisition  Executives  informing 
them  of  the  program  protection  pilot  and  the  need  to  assess  how  well  the  Department 
identifies  and  protects  CPI  and  the  attendant  program  protection  planning  process. 


17  The  standards  were  published  by  the  President’s  Council  on  Integrity  and  Efficiency  and  the  Executive 
Council  on  Integrity  and  Efficiency,  which  the  Inspector  General  Reform  Act  of  2008  combined  in  creating 
the  Council  of  the  Inspectors  General  on  Integrity  and  Efficiency. 
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In  conjunction  with  the  Office  of  the  Deputy  Under  Secretary  of  Defense  (Acquisition 
and  Technology ).  we  selected  a  statistical  sample  of  1 7  AC  AT  ID  programs  of  record 
from  the  major  defense  acquisition  program  list  to  participate  in  an  initial  questionnaire 
phase  for  this  program  protection  pilot  assessment  In  a  subsequent  phase,  vve  selected 
three  programs  of  record,  one  Irom  each  Service,  for  in-depth  assessment. 

lo  ensure  that  the  DuD  Office  of  Inspector  General  enhances  its  ability  to  provide 
oversight  of  component  Inspectors  General  audits,  evaluations,  inspections,  and  law 
enforcement  activities  -  and  because  it  was  essential  to  gain  a  solid  understanding  of  how 
effectively  the  Department  protects  CPI  in  order  to  maintain  our  technological  advantage 
and  deliver  uncompromised  weapon  systems  to  the  war  fighter— we  planned  and 
performed  this  assessment  in  coordination  w'ith  subject  matter  experts  from  the  Offices  of 
Lhe  Under  Secretaries  of  Defense  for  Acquisition.  Technology,  and  Logistics,  for  Policy, 
and  for  Intelligence;  the  Assistant  Secretary  of  Defense  (Networks  and  Information 
lntegnuion)/DoD  Chief  Information  Officer,  and  the  Defense  Security  Service  Although 
the  subject  matter  experts  contributed  to  this  project,  the  project  results  and 
recommendations  are  those  of  the  DoD  Office  of  Inspector  General. 


We 


wanted  to  assess  a  program  of  record  that  was  in  the  early  stage,  one  thaL  was  almost 
at  the  conclusion,  and  one  that  had  completed  program  protection  planning,  1  his 
methodology  would  provide  us  with  an  evolutionary  perspective  of  program  protection 


OASA  ALT  -  (bX5) 


Use  of  Computer-Processed  Data 

We  did  not  use  computer- processed  data  to  perform  this  assessment. 
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Appendix  B.  Prior  Coverage 

During  the  last  10  years,  the  Government  Accountability  Office  (GAO)  and  the 
Department  of  Defense  Inspector  General  (DoD  1G)  have  issued  1 1  reports  discussing 
DoD  and  Army  efforts  to  protect  critical  program  information.  Unrestricted  GAO  reports 
can  be  accessed  over  the  Internet  at  http;  V www.aao.aoN .  Unrestricted  DoD  IG  reports 
can  bo  accessed  at  hrtp:  /v>v>vv.dod  in  .mi  1  Tr/reports. 


GAO 

GAO  Report  No.  G A 0-09-2 7 U  “GAO  High-Risk  Series  -  An  Update/’  January  20f)9 

GAO  Report  No.  GAO-08-467SP.  ‘Assessments  of  Selected  Weapons  Programs.” 

March  2008 

GAO  Report  No.  GAO-08-9] .  "Departmentwide  Direction  is  Needed  for  Implementation 
of  the  Anti-tamper  Policy."  January  2008 

GAO  Report  No.  GAO-04-302.  “DoD  Needs  to  Better  Support  Program  Managers' 
Implementation  of  Anti-Tamper  Protection,"  March  2004 


DoD  IG 

DoD  IG  Report  No.  08-TNTF1  .-09,  "Report  on  FY  2007  Summary  Report  of  Inspections 
on  Security  .  Technology  Protection,  and  Counterintelligence  Practices  at  DoD  Research. 
Development.  Test  and  Evaluation  Facilities."  June  23,  2008 

DoD  IG  Report  No  08-TNTF.T  -04,  “Inspection  Guidelines  for  DoD  Research  and 
Technology  Protection.  Security  and  Counterintelligence  tor  2008."  April  18. 2008 

DoD  IG  Report  No.  07-IN  TLL-1 1.  "T  Y  2006  Summary  Report  of  Inspections  on 
Security,  Technology  Protection,  and  Counterintelligence  Practices  at  DoD  Research. 
Development,  lest  and  Evaluation  facilities/  August  31,  2007 

DoD  IG  Report  No.  06-IXTEL-14.  "I 2  2005  Summary  Report  of  Inspections  on 
Security.  Technology  Protection,  and  Counterintelligence  Practices  at  DoD  Research. 
Development.  Test  and  Evaluation  Facilities/  September  20,  2006 

DoD  IG  Report  No.  06-IN  1EL-0j.  “Inspection  Guidelines  for  DoD  Research  and 
Technology  Protection,  Security  and  Counterintelligence  lor  2006."  February  28.  2006 

DoD  IG  Report  No.  05-IN  I  LL- 14.  “FY  2004  Summary  Report  of  Inspections  on 
Security.  Technology  Protection,  and  Counterintelligence  Practices  at  DoD  Research. 
Development.  Test  and  Evaluation  Facilities/  May  27,  2005 

DoD  IG  Report  No,  00-01R-05.  "Measures  to  Protect  Against  the  Illicit  Transfer  of 
Sensitive  Technology/  March  27,  2000 
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Appendix  C.  Additional  Background 
Information 


Historical  Perspective.  In  early  1999.  ihe  Deputy  Secretary  of  Defense  directed  the 
Service  Inspectors  General  to  survey  the  counterintelligence  and  security  programs  ui 
more  than  60  RDT&F  facilities  The  teams  identified  a  number  of  recommendations 
related  to  the  specific  sites.  As  a  result  of  these  efforts,  the  Deputy  Secretary  of  Defense 
chartered  an  Overarching  Integrated  Process  leant  to  better  frame  the  recommendations 
and  to  oversee  their  implementation  From  February  12  to  May  12.  2000.  the  Deputy 
Secretary  of  Defense  signed  a  total  of  7  memoranda  containing  27  tasks  aimed  at 
enhancing  the  Department's  ability  to  identify  and  protect  CPI.  implement  an  effective 
foreign  v  isitor  program,  and  provide  effective  counterintelligence  and  security  support  to 
RDT&E  facilities  and  the  acquisition  process.  On  February  17,  2000,  the  Deputy 
Secretary  of  Defense  signed  a  memorandum  requesting  the  DoD  Inspector  General  to 
ensure  that  DoD  Components  implement  a  uniform  system  of  periodic  reviews  through 
their  existing  agency  and  Service  inspection  processes  for  compliance  with  directives 
concerning  security,  technology  protection,  and  counterintelligence  practices.  These 
reviews  were  to  assist  with  the  protection  of  the  cutting  edge  technology  oi'L.S  weapon 
systems.  The  February  1 7.  2000  memorandum  also  requested  that  the  DoD  Inspector 
General  dev  elop  inspection  list  guidelines  for  all  Department  Inspectors  General  to 
enhance  consistency,  The  Deputy  Secretary  of  Defense's  requests  to  the  DoD  Inspector 
General  are  also  outlined  in  DoD  Instruction  5200.39. 

On  May  8,  2002,  the  Inspector  General.  DoD;  the  Deputy  Under  Secretary  of  Defense  for 
Laboratories  and  Basic  Sciences;  the  Director.  Operational  l  est  and  L valuation;  the 
Service  Inspectors  General;  and  the  Director.  Program  Integration.  Internal  Management 
Review  (formerly  Internal  Assessments).  Missile  Defense  Agency,  signed  a 
memorandum  of  understanding  on  security,  technology  protection,  and 
counterintelligence  inspections.  The  memorandum  of  understanding  requires 
participating  Inspectors  General  to  prepare  and  forward  to  ihe  DoD  Office  o ('Inspector 
General  any  significant  findings  and  recommendations  at  the  end  of  each  inspection.  I  he 
DoD  Office  of  Inspector  General155  issues  a  summary  report  on  inspections  of  security, 
technology  protection,  and  counterintelligence  practices  at  DoD  RDT&F  facilities. 


s  Since  the  original  request  by  the  Deputy  Secretary  uf  Defense,  the  Office  of  the  Deputy  inspector 
General  lor  Intelligence,  in  rite  DoD  Office  of  Inspector  General,  has  published  the  annual  summary  report, 
highlighting  Service  and  milestone  decision  authority  Inspections  and  best  practices.  We  also  publish  the 
guidelines  biennially  ,  with  input  from  Department  and  Component  counterintelligence,  intelligence, 
security,  and  Inspectors  General  elements. 
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Appendix  D.  DoD  Organizations  and  Efforts 
to  Protect  Critical  Program  Information 

listablishing  a  consistent  process  lor  identifying  CPI  and  conducting  program  protection 
planning,  a  process  that  takes  into  account  the  role  research,  development,  acquisition, 
counterintelligence,  intelligence,  security.  and  systems  engineering  personnel  perform,  is 
critical  for  ensuring  that  DoD  can  protect  CPI.  In  December  2008.  DoD  established  nine 
working  groups  to  address  CPI  identification  and  program  protection  planning,  i  he 
working  group  process  is  co-led  hv  the  offices  of  The  l  SDfAl'&L)  and  the  Under 
Secretary  of  Defense  (intelligence).  Laeh  working  group  is  chaired  by  either  a  DoD  or 
Scrv  ice  representative  with  expertise  in  the  protection  of  CPI.  DoD  has  agreed  that  there 
should  be  an  overarching  set  of  program  protection  products  (for  example,  process, 
guidance,  tools)  and  that  these  would  be  extended  and  amplified  by  the  Services  and 
agencies  to  serve  their  needs.  One  of  the  goals  of  these  working  groups  is  for  the 
Services  and  agencies  to  assess  the  sufficiency  of  resources  available  to  support  program 
protection  when  the  program  protection  processes  are  sufficiently  mature  to  form  a  basis 
for  such  an  assessment 

Program  Protection  Working  Groups 

Definitions  W  orking  Group.  1  his  working  group  will  expediently  affirm  and  document 
the  CPI.  program  protection,  systems  assurance,  and  software  assurance  terms  anJ 
associated  hierarchy  of  relationships  Completion  of  this  working  group  was  described  as 
being  necessary  to  initiate  the  other  working  groups. 

CPI  Identification  Process  Working  Group.  I  bis  working  group  is  to  establish  the 
minimum  standards  for  the  process  used  by  DoD  to  identify  CPI.  Serv  ices  and  agencies 
will  be  allowed  to  extend  and  amplify  to  suit  their  Service  or  agency  needs.  A  second 
product  will  be  a  method  of  assessing  the  tools  used  by  various  Services  and  agencies  to 
identify  CPI  1  he  working  group  will  use.  as  appropriate,  the  results  from  other  groups, 

Program  Protection  Planning  C  ontent.  Format,  and  Review  Working  Croup.  This 
working  group  will  develop  two  products.  I  he  first  product  will  be  guidance  on 
preparing  program  protection  plans.  The  second  product  will  document  the  program 
protection  plan  review  process  and  stakeholders.  The  program  protection  plan  review 
process  will  detail  milestone  requirements  (with  checklists)  for  development,  review,  and 
approval,  stakeholders  include  Service  components,  the  USD(AT&L).  the  Under 
Secretary  of  Defense  (intelligence),  and  subject  matter  expens  for  applicable 
countermeasures  such  as  anti-tamper  measures,  and  Defense  trusted  integrated  circuits. 
The  first  draft  of  the  program  protection  plan  review  process  was  based  on  the  systems 
engineering  plan1-'  process  and  will  be  revised  in  a  Six  Sigma  working  group. 


r'  The  systems  engineering  plan  is  the  blueprint  lor  the  execution,  management,  and  control  of  the  technical 
aspects  of  an  acquisition  program  from  conception  to  disposal.  Systems  engineering  translates  operational 
requirements  imp  configured  systems,  integrates  technical  inputs  of  the  entire  design  loam,  manages 
interfaces,  characterizes  and  manages  technical  risk,  transitions  technology  from  the  technology  base  into 
program  spociJIc  efforts,  and  verifies  that  designs  meet  operational  needs.  The- systems  engineering  plan  ts 
a  'living"  document  that  captures  a  program's  current  and  evolving  systems  engineering  .strategy  and  its 
relationship  with  the  overall  program  management  effort. 
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Acquisition  Policy  and  Guidance  for  Program  Protection  Working  Group.  This 
working  group  will  aid  m  the  development  of  program  protection  guidance  ro  he 
documented  in  the  upcoming  DoD  5200.39  Manual,  the  working  group  will  build  on  all 
other  working  group  outputs  and  ensure  consistency  with  the  DoD  Instruction  5000.02. 

Training  and  Transition  Working  Group.  This  group  will  develop  a  competency 
model  lor  program  protection  roles.  Based  on  the  preliminary  work  done  by  the  Program 
Protection  Working  Group,  this  working  group  will  confirm  the  required  skills,  define  the 
course  content  to  serve  the  needs  of  the  various  functional  areas  (acquisition,  engineering, 
counterintelligence,  criminal  investigative  service,  and  the  like),  and  estimate  the  number 
of  courses  required  per  year  to  accommodate  the  training  of  the  workforce.  This  working 
group  will  also  develop  and  implement  a  plan  to  train  service  personnel  and  transition  to 
the  revised  program  protection  process  and  policy. 

Horizontal  Protection  Process  Working  Group.  This  working  group  will  define 
process  How,  roles,  responsibilities,  and  policy  to  execute  horizontal  protection  from 
before  milestone  A  through  sustainment.  The  first  task  will  be  to  determine  the  need  for 
a  standardized  security  classification  guide  for  program  protection.  1  he  work  of  this 
team  w  ill  be  submitted  to  the  Under  Secretary  of  Defense  (Intelligence)  for  consideration 
in  the  dev  elopment  of  the  next  version  of  DoD  5200.1 -R.  "Information  Security 
Program."  the  current  version  of  which  is  dated  January  !  997  This  group  will  also  work 
to  provide  input  to  the  Acquisition  Security  Database  Configuration  Control  Board  and  to 
incorporate  the  Acquisition  Security  Database  within  Service  policy  and  processes. 

Manpower  Studies  Workiug  Group,  f  ormation  of  this  working  group  w  ill  depend  on 
each  Service  making  a  determination  whether  or  not  to  act  on  the  proposal  of  the 
Program  Protection  Working  Group  to  conduct  manpower  studies  to  assess  the 
sufficiency  and  availability  of  resources  to  support  the  program  protection  process. 

Criticality  Assessment  Working  Group.  This  working  group  will  develop  the  process 
required  to  implement  system  security  engineering  in  program  protection  planning. 
Membership  will  include  primarily  systems  engineers  and  individuals  familiar  w  ith 
program  risk  mi  Ligation  as  currently  implemented  by  programs. 

Vulnerability  .Process  Working  Group.  This  working  group  will  define  the  process 
and  criteria  lor  the  vulnerability  assessment  step  in  the  program  protection  process.  I  he 
scope  of  the  vulnerabilities  assessment  will  include  the  acquisition  dev  elopment  and 
manufacturing  environments,  supply  chain,  operational  environment,  and  system  design 

Under  Secretary  of  Defense  for  Intelligence 

The  Under  Secretary  of  Defense  for  Intelligence  began  promulgating  policy  for 
counterintelligence  support  in  2009  to  the  RDA  community.  fhe  policy  will  implement 
the  relevant  sections  of  policy  established  in  DoD  Instruction  5200.39  for 
counterintelligence  support  to  the  protection  ol'CPI:  DoD  Instruction  2040.02. 
"International  Transfers  of  Technology.  Articles,  and  Services."  July  10,  2008.  for 
counterintelligence  support  to  internat  ional  transfers  of  technology,  articles,  and  services: 
and  Deputy  Secretary  of  Defense  Directive- Type  Memorandum  08-048,  "Supply  Chain 
Risk  Managements  CRM)  to  Improve  the  Integrity  of  Components  L  sed  in  Dob 
Systems,"  February  1 9.  2009,  for  counterintelligence  support  to  supply-chain  risk 
management. 
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1  he  new  policy  will  establish  a  requirement  for  an  intelligence  assessment  of  DoD  RDA 
programs  to  provide  baseline  security  requirements  against  foreign  intelligence 
collection.  It  will  also  integrate  a  technology  threat  risk  assessment  with  the  appropriate 
counterintelligence  analytical  product  to  inform  RDA  programs  of  threats  to  CPI  from 
foreign  intelligence  entities.  It  is  currently  in  the  formal  coordination  process 

l  hc  Under  Secretary  of  Defense  (intelligence)  is  also  in  the  process  of  finalizing  DoD 
Manual  5200.39,  "Procedures  for  Critical  Program  Information  (CPI)  Protection  Within 
Lite  Department  of  Defense.”  which  will  pros  ide  the  guidance  for  the  implementation  oi 
program  protection  measures,  It  is  currently  in  the  formal  coordination  process. 


Defense  Intelligence  Agency 


The  Defense  Intelligence  Aeencv  provides  risk  assessment  products  on  lbreiun  threats 


_ _ _  coordinates  with  DoD  Component  counterintelligence 

elements  on  horizontal  protection  in  support  of  the  protection  of  CPI.  The  Deft 
Intelligence  AeencN_pmduces_th^  Targeting  Risk  Assessments  and! 


Defense  Security  Service 

U.S,  industry  develops  and  produces  the  majority  of  our  Nation's  defense  technology, 
much  of  which  is  classified,  and  thus  plays  a  significant  role  in  creating  and  protecting 
the  information  that  is  vital  lo  our  Nation's  security.  1  he  National  Industrial  Security 
Program  was  established  by  Uxectittvc  Order  I2S29  to  ensure  that  cleared  U.S.  facilities 
safeguard  the  classified  information  in  iheir  possession  while  performing  work  on 
contracts,  programs,  bids,  or  research  and  development  efforts.  The  Defense  Security 
Service  administers  the  National  Industrial  Security  Program  on  behalf  of  DoD  and  23 
other  Federal  agencies.  Defense  Security  Service  lias  responsibility  for  over  1 3.000 
active,  cleared  facilities  in  the  National  Industrial  Security  Program. 

The  Defense  Security  Service  supports  national  security  and  the  warfighter,  secures  the 
Nation's  technological  base,  and  oversees  the  protection  of  U.S.  and  foreign  classified 
information  in  the  hands  of  industry .  The  Defense  Security  Service  accomplishes  this 
mission  by  performing  siv  mission-essential  tasks: 

•  clearing  industrial  facilities,  personnel,  and  accrediting  associated  information 
systems: 

•  counterintelligence  support  to  cleared  industry  and  referral  of  counterintelligence 
relevant  information  to  applicable  counterintelligence  community  members  and 
law  enforcement  agencies: 

•  managing  foreign  ownership,  control,  and  influence  in  cleared  industrial  facilities: 

•  providing  advice  and  oversight  to  industry: 

»  delivering  security  education  and  training:  and 

•  conducting  mission  support  operations. 
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To  accomplish  this  mission,  the  Defense  Security  Service  has  approximately  270 
industrial  security  representatives  and  approximately  50  Held  counterintelligence 
specialists  spread  across  the  Lnitcd  States.  They  provide  oversight  and  assistance  to 
cleared  contractor  facilities  and  assist  the  organization's  management  and  facility  security 
officers  in  ensuring  the  protection  of  national  security  information. 

The  Defense  Industrial  Security  Clearance  Office  processes  requests  for  industrial 
personnel  security  investigations  and  provides  eligibility  or  clearance  determinations  for 
cleared  industry  personnel  under  the  National  Industrial  Security  Program 

The  Defense  SccuriLy  Service  Academy  delivers  security  education  and  training  to  DoD 
civilians,  military',  and  other  l  .S,  Government  personnel.  National  Industrial  Security 
Program  contractors,  and  sponsored  representatives  of  foreign  governments 

I  he  Defense  Security  Service  Counterintelligence  Directorate  provides 
counterintelligence  functional  services  in  support  of  DoD  RDA,  as  described  below 

•  Defense  Security  Service  identities  unlawful  penetrations  to  facilities  cleared  in 
conjunction  with  the  National  Industrial  Security  Program. 

•  Defense  Security  Service  counterintelligence  prepares  and  pro\  ides  relevant 
threat  information,  awareness  briefings,  and  tailored  analytical  products  to  cleared 
defense  contractors  as  determined  necessary  based  on  prioritized  risk  levels  and 
specific  requests  from  cleared  defense  contractors. 

•  1  he  Defense  Security  Serv  ice  counterintelligence  office  produces  an  annual 
report.  "Targeting  U.S.  Technologies:  A  Trend  Analy  sis  of  Reporting  from 
Defense  Industry."  The  Defense  Security  Service  encourages  cleared  defense 
contractors  to  use  this  information  for  security  awareness  and  education  programs 
at  their  facilities. 
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Appendix  E.  Army  Organizations  and  Efforts 
to  Protect  Critical  Program  Information 

902nd  Military  Intelligence  Group 

The  902nd  Military  Intelligence  Group's  technology  protection  mission  is  to  detect, 
identity',  neutralize,  and  exploit  foreign  intelligence  sendee  threats  to  Army  technologies. 
The  Group  identifies  investigative  and  operational  opportunities  within  the  acquisition 
and  R±)  i  &L  communities  while  providing  for  the  secure  fielding  of  Army  technologies, 
capabilities,  and  weapon  systems.  The  902nd  Military  Intelligence  Group  employs 
counterintelligence  covering  agent  support  to  acquisition  P.Ms  and  Army  research 
facilities  to  ensure  detailed  familiarity  with  the  supported  element’s  operations, 
personnel,  security',  and  vulnerabilities,  in  turn,  the  Group  provides  the  element  with  a 
point  of  contact  for  reporting  matters  of  counterintelligence  interest.  The  Group 
augments  covering  agents  with  technical,  analytical-  investigative,  and  operational 
resources  to  neutralize  or  exploit  foreign  intelligence  threats. 

Army  Counterintelligence  Center 

The  Army  Counterintelligence  Center  is  the  Army's  counterintelligence  analysis  and 
production  center.  The  Army  Counterintelligence  Center’s  mission  is  to  provide  timely, 
accurate,  and  effective  multidisciplinary  counterintelligence  analysis  in  support  of  the 
ITS.  Army  combating  terrorism  program,  ground  system  technologies,  and 
counterintelligence  investigations,  operations,  and  aeti\  itics.  The  Army 
Counterintelligence  Center  provides  the  multidisciplinary  counterintelligence  threat 
assessment  to  Army  program  offices  to  assist  with  the  evaluation  of  risk,  based  on  threats 
to  the  program's  CPI.  I  he  Center  supports  Army.  DoD.  and  non-DoD  customers. 


National  Ground  Intelligence  Center 

The  mission  of  the  National  Ground  Intelligence  C  enter  is  to  provide  science  and 
technical  intelligence  and  general  military  intelligence  on  foreign  ground  forces,  The 
Center  supports  the  v\ar  lighting  commanders;  force  and  material  developers;  and 
Denartmeni  of  the  Armv.  L)oT).  and  national  decision  make 


■INSCOM- (b)(7)(E) 


I  I 


I  I 

I 
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Army  Defense  Industrial  Base  Cyber  Security  Office 


fhc  Army  Defense  Industrial  Base  Cyber  Security  Office  works  across  the  Arms  to 
integrate  the  requirements  to  protect  CPI  identified  in  DoD  Instruction  5200.39  through 
interface  with  Army  program  executive  offices  and  their  respective  program  /product 
managers  and  with  the  Army  Materiel  Command  to  ensure  synclironization  of  Army 
priorities  and  requirements  established  for  RTP  and  critical  infrastructure  protection 
programs.  Also,  when  technologies  similar  to  those  used  by  the  Army  arc  found  in  other 
Military  Sen,  ice  research  and  development  programs  and  w  eapon  sy  stems,  the  Army 
Defense  Industrial  Rase  Cyber  Security  Office  coordinates  with  the  USD(AT&IA  and  the 
other  Service  acquisition  authorities  to  ensure  like  technologies  are  afforded  the  same 
level  of  protection. 

The  Army  Defense  Industrial  Base  C  yber  Security  Office  is  leading  Components  of  the 
Office  of  the  Secretary  of  Defense  in  a  tri -Service  cyber  security  acquisition  initiative 
that  is  intended  to  provide  DoD  with  an  empirical  basis  including  viable  contract 
language,  budgetary  ramifications  and  Defense  Federal  Acquisition  Regulation 
Supplement/Federal  Acquisition  Regulation  revisions  to  evaluate  potential  solutions  for 
protecting  controlled  unclassified  information  on  defense  industrial  base  networks. 

I  he  Army  Defense  Industrial  Base  Cyber  Security  Office  is  coordinating  an  interagency 
pilot  program  to  assess  information  compromised  through  computer  intrusions  against 
defense  industrial  base  contractor  systems  to  determine  whether  there  may  have  been 
compromises  of  data  on  current  and  future  .Army  weapons  programs,  scientific  and 
research  projects,  and  warftghiing  capabilities  dial  could  cause  a  loss  of  technological 
advantage  against  potential  adversaries. 

The  Army  Defense  Industrial  Base  Cyber  Security  Office  is  working  with  elements  of  the 
Office  of  the  Secretary  of  Defense,  including  the  DSD(  AT  & L).  the  Assistant  Secretary  of 
Delense  (Networks  and  Information  integration)/DoD  Chieflnformation  Officer,  and 
others,  to  develop  policy  to  manage  the  risk  that  adversaries  might  insert  corrupted  or 
malicious  technology  into  components  some  of  which  may  come  from  outside  the  U  S. 
defense  industrial  base  -  that  are  bound  for  DoD  critical  systems  to  later  gain 
unauthorized  access  to  data,  aher  data,  or  sabotage  communications,  lhe  focus  of  the 
Army  effort  will  bo  on  companies  in  the  command,  control,  communications, 
intelligence,  surveillance,  and  reconnaissance  categories,  and  on  technologies  that  affect 
Army  modernization  efforts  or  the  security  of  RDT&E  facilities,  program  offices,  or 
supply  chains 

The  Army  Defense  Industrial  Base  Cyber  Security  Office  has  developed  cooperative 
relationships  across  the  Army  and  DoD.  To  standardize  RDA  act i\  i ties  and  to  ensure  it 
incorporates  best  practices  from  across  the  Army,  the  Defense  Industrial  Rase  Cyber 
Security  Office  has  taken  the  lead  within  an  Army  working  group  to  draft  a  regulation  on 
protecting  CPI. 


rotiomciAri  t  m:  o>ilv 
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OFFICE  OF  THE  DIRECTOR  OF 
DEFENSE  RESEARCH  AND  ENGINEERING 
35*0  orrmsE 

WASHIWkltm  oC  2030 1 '3040 


JWI  11 


VSEMORANDt  *M  fOR  DtPl‘1  >  ASSIST  ANT  INSPECTOR  OENERAl 
INTELLIGENCE  EVAt  UATIONS  lloDIG 

1  I IROUGII  DIRECTOR  ACQUISITION  RESOl TICES  AND  YN.ALYSiS 

st.  RTECI  Response  lo  DoDlG  Draft  Report  or  I\<D  Efforts  t< .  Protect  Critical  Program 
lalonr.aiioir  The  Army's  Warfighter  Information  Network  -  Tactical 
(Project  No.  D2008-DINT0I  0242.001 1 

As  re^'wstrrt.  I  arc  providing  responses  to  ihe  general  coaicxii  .nid 
ft;orcrnend*’»'i)i  cooUinrd  in  the  subicci  report 

kecoromcnOailoaBJl-l: 

W#  recommend  that  the  Under  Secretary  of  Defame  (Accuismor  Technology  ,  and 
I.ogistk>'  in  .•■jiuluuon  w  th  the  L ndatecKtary  d' Defense (Intelligence  .d.e 
Assistant  Secretary  of  Defense  (Networks  and  Information  Integral  ion )  'DpD  Clue 
inlormction  ■  i Hirer.  ,-in.H  '  <  .ntynem  K  t  i'BS 


a-.  •  latuperfAT)  policy  now  reside*  m  Dot)  toitnictioo  520C  39.  Cniicai 
Program  Information  (CPI)  Protection  Within  the  Department  of  Defeased'  July  16. 2008. 
Md  DoD  Instruction  5000.02,  "Operniion  of  the  Defense  Acquisition  System,"  December 
8,  2008.  In  addition,  an  Ami- Tamper  appendix  rsiidos  within  the  draft  DoD  Manual 
**?W  39-M.  "Procedures  for  Cr.licei  Program.  Information  (CPI  i  Protection  within  the 
Department  o:  Defense."  which  is  current iy  m  comment  sdjudx  itiun  hy  the 
Undersecretary  of  Defense  for  Intelligence 

The  AT  Executive  Agent  (ATEAj  published  the  second  version  of  its  classified 
SfC'RET  AT  Guideline',  wjiiefc  contain  a  cotnmot  engineer  in  rnnhodologv  Ifrji  guides 
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i  Program  Manager  Lit  the  establishment  or  an  eoprapnatc  AT  architecture  for  tr.c 
protection  of  CPI  across  the  entirety  if  *  program's  lifecycle.  The  A  TEA  alto  leaches  *u 
A I  Shon  Course,  which  includes  conieut  un; 

•  Dof)  Anti-T  urr.pcr  policy  directives 

•  Uk  process  of  specify  mg.  designing  and  ev  Moating  AT  technology 

•  amwaropet  design  milestone  and  their  relationship  lo  the  inquisition  cycle 

.  models  of  security,  including  protection,  detection,  aiid  response  approaches 

•  reverse  engineering  ihrra’s  to  hardware  tod  sofbvurt  systems 

•  onn-tiinpcr  techniqmrj  including  encryption  ana  protected  volumes 

The  DoD  A 1  jus  grilled  Product  Team  (IPTi.  enablished  by  l.SI>  A  I2fcL  i  in 
2009.  oversees  tfce  DoD  A  f  progn.ni  from  a  sirtepe  perspective  (Tie  IP'l  consists  of 
representatives  from  'JSD(T),  NIL  and  other  OSD  office*,  And  has  been  briefed  by  Ann) 
Navy,  and  Air  Force  anti-tamper  representatives  on  cunent  sccac,  and  issue.- 

Recommendation  Bl-2: 

We  recommend  Ihitt  lire  L'ndcr  Sccrciury  of  Uclcnsc  (Acquisition.  I  echnoiogy.  and 
Logistics)  establish  guidance  tor  ident.tying  contiuenctal  off-the-shelf  government  olf 
ilie-shclf  components  i> critical  program  information.  ta  include  auessmctSt  tools  and 
training 

Kseouit; 

Concur  I  ■ilXATAl  j  is  currently  working  with  L'SD-fl),  ASDfWI)  DoL)  CTO,  and  the 
Components  to  establish  guidance  for  the  identification  ofCritical  Program  Information 
to  include  dements  or  components  critical  to  network  or  musioa  cftectiveneav  per  DuD 
Iraaructiun  5200  JV  These  elements  or  cumponetn >  may  he  commercial  atf-ihe- 
shclf/govemment  off-the-shelf,  and  Uic  guidance  will  allow  (or  identification  ot  those 
components  as  CPI 

Recommendation  B3-1; 

We  recommend  dial  the  I  inder  Secretary  of  Defense  (Acquisition,  Technology,  and 
Logistics)  provide  guidance  on  model  coturaci  Laguqge  tn  support  ex  program  protect  .  • 
planning  to  Doll  and  Component  RIP  officials 

Resmmsc: 

Coocirr  LSIRATAT .» will  pf.wtdc  guicance  or  the  mood  contract  language  in  suppi it 
of  program  protection  planning  to  D,d>  and  component  R  TP  officials  in  accordance  with 
DoD  Instruction  5201)39  and  FAR  support  15.20-1  I 

DoD  Instruction  52cki. i9  requires  thin  contracts  supporting  RDA  programs  where 
CPI  has  been  identified  shall  contain  contractual  terms  requiring  tho  contractor  ro  protect 
the  C?1  tn  the  standards  articulated  in  the  Instruction.  Programs  are  rc>pcu*ihlc  for 
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getlm*  Prof/nm  Protection  requirements  written  into  T.’ic  contract.  Guicittiee  rm  Program 
Protection  requirement  language  for  CPI  Protection  is  under  development 

PAR  subpart  1 5.204. 1  specifies  the  formal  mid  content  of  RPP  soiicttatiorw  anil 
contracts.  Tlie  RFP  includes  the  terms  and  conditions  that  will  he  in  the  linn  I  coatuei 

Recommendation  n.t: 

Wc  recommend  that  Hie  Under  Secretary  of  Dc  tense  (Acquisition.  Technology  and 
Logistics),  m  eollabcwittoc  with  the  Undersecretary  of  Dcfer.ie  (InrciligeRce).  and  the 
Assistant  Secretary  of  Defease  (Networks  and  fafonusnoa  Integration  yttoD  Chief 
Information  Officer  dcvclo?  staniaraized  guidance  r'or  training  in  CPI  pcotect.cn  for  tw 
by  tfac  RTP  Mimmor.it> 

RoEopye- 

Panial  Concur  USLHA  [<tl  )  wil  in  collaboration  with  iJSD(l)  and  A$D(Ml)/DoD 
CIO,  develop  MiM.daiH.ecd  guidance  for  training  in  0*1  protection  for  use  by  the /».►«£>  .•><•: 
flrutcction  rnrmir.mil> ,  mn  only  tlie  RTP  community  Research  and  I  cchnoWv 
Protection  remains  « critical  portion  of  Program  Protection  planning,  hut  does  riot  include 
the  new  requirements  to  protect  elements  or  component!  entica:  to  network  or  mission 
effectiveness  per  DoD  Instruction  5200.59  I  raining  module  will  reflect  the  reed  to 
inures*  tin*  broader  wops-  jf  protection.  Training  tnoculf*  w  ill  be  dev  eloped  or.ee 
USD;  AT4J-),  in  eollatooruii.jr.  with  L'SD(1).  ASDiMIVDoD  CIO.  and  the  Compi  mentv 
establishes  guidance  on  CPI  xJcittificstion  end  protection 

RcCommcnd-in.'ii  B*  1 

We  recommend  that  ihe  Assistant  Secretary  or  Detente  (Networks  and  Informal, im 
integration )  DoD  Chief  Information  Officer,  In  coordination  with  the  Under  Secretaries 
Defense  fer  Acquisition,  Technology,  and  l  oglstics  will  foi  Intelligence,  develop  and 
publish  security  requirements  for  contractor*  processing  Cl’l  on  contractor  owned  and 
controlled  infortrmtiot.  system* 


Response- 

Concur  L'SDf  AT*  I  >  will  continue  to  support  ongoing  efforts  by  the  ASOfNTryDoD 
CIO  in  accordance  with  DoD  Instructicc  5205.  t3.  Detenu*  Industrial  Rase  (DIB;  lvh-f 
Secudiv  Infemumon  Assurance  (CS/lAj  Acth  itie*  "  Jntuty  29. 2010.  and  USD  \f&. 
Memorandum  “Cyber  Security  m  Defense  Acquisition  Prognuns.  November  !?.  2'  Oh 


Recomrocndation  BS: 

We  recommend  that  the  Under  Secretary  of  Defense  (Intelligence),  in  coordination  with 
the  Under  Secretary  of  Defense  (Acquisition,  Technology,  and  I  ogistics).  and  ihe 

Assisiur.!  Scire  tan  ,.f  Defense  ('Networks  and  Infer  n  it  ,n  i  v  . . .  -  ,  i,,,  i 

Jitformu'.ior,  ''.inker  dc.  nnir.c  the  appropnafeoe.s.  ni  n  n. 


OASA  ALT  (b)(5) 
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(-Unification  Review, 

Concur  with  Lie  For  ODkcl  l.*c  Onl>  um*  on  ihc  iufcjcc!  report 


JOD  OIG  -  (bX6) 


Please  contact  [ _ 

additional  mlorwietiosn^equirccr 


Stephen  P  Wfciby 


Diteclor 

Syiiem*  Ungicoering 
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OFFICE  OF  THE  UNDER  SECRETARY  OF  DEFENSE 
6000  OEFEJNEt  *ENTA&ON 
WASHINGTON.  DC  20301  5000 


.•<TC  i  «i%  .* 


MEMORANDUM  FOR  INSPECTOR  GENERAL  OF  THE  DEPARTMENT  I  OF 
OEFENj 
(ATTN: 


DoD  OIG  -  (b)(6) 


SUHJECT  Review  .>1  Draft  Report  DoD  ElTorts  lo  Protect  Critical  Program 

Indentation  The  Army's  Warfighter  Infcrmenoo  Nerwo-rk:  -  Teetotal 
{Project  No  D2OO8-DINT0 1-0242. 001 ) 


In  response  to  your  April  9,  2010  memorandum,  we  provide  the  attached 

|  i  rr 


DoD  OIG  -  (b)(6) 


Stanley  1.  Suns 
Director  of  Security 


Attachment 
As  stated 


a 
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RECOMMENDATION  B1  I.  He  recommend  that  the  Under  Harr: sry  of  Defense 
(Acquisition.  Technology,  and  logistics!,  >n  cemsultotion  with  the  Under  Secretary  of 


RKCOMMI  NU.VTION  B3  iVe  recommend  that  Ins  Under  Secretary  of  Detenu 
(Acquisition  'technology.  arid  Logistics,  tn  coiiaboeoliom  with  the  l  Inder  Secretary  of 
Defense  (Imelligerct),  <!>•»/ 1  he  Assistant  Secretary  of  Defense  (’Xeeworhs  end  inpir  motion 
Integration.)  ‘DoD  Chief  Information  Officer  develop  standardized  guidance  for  training 
in  CPI  protection  for  use  tty  the  RTP  community 

KFSPONSE:  CONCUR.  DoDl  5200  5P. “Critical  Ptogmn  Iniccmation Protection 
wr.tv.n  the  Department  of  Defense,”  require*  l  ha:  appr.'prntte  training  he  made  available 
10  ooun'icnmelligence,  intelligence.  security,  and  RDA  personnel  regarding  the 
identification  and  protection  of  CPI  enclosure  2  of  the  instruction  provides  guidelines. 
DoP  standards  for  CPI  ideotKicacion  and  protection  arc  under  dec ek.prc.cnt  in  utc  K I  I 
community;  *»  these  standards  mature  training  and  vpecaric  course  contest  wilt  be 
developed.  Currently ,  the  Joint  Counterintelligence  Training  Academy  offers  a 
Counterintelligence  Support  ro  R.DA  course  lor  counterintelligence  profcssiomiK 

RECOMMENDATION  BS-l  He  ri  co-r  mend  that  die  Assistant  Secretary  of  Defense 
i  Networks  ana  Information  Integration..  DoD  Chief  Information  Officer,  It:  coordination 
with  the  Undersecretaries  of  Defense  for  Acquisition  Technology  and  Logistics  arid  for 
Intelligence  develop  and  publish  security  requirements  for  contractors  processing  CPI 
r>n  contractor-own<J  and  controlled  information  systems 

RESPONSE:  CONC  UR  OL’SIXi)  provided  advice  .uid  guidance  to  the 
(JASOfNIIVDoO  CIO  during  Hie  development  and  promulgation  of  Direct!  vVType 
Mezncrsnduni  08-21.  'Security  of  Unclassified  DoD  Inform, rston  on  Son-DoD 
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Information  Systems  jr.d  L>oUI  5205.13.  'Defense  Industrial  Busr  • DIB )  Cyber 
Security  information  Assurance  (CStlA‘  icin  rtie  .  The*  issuance*  provide  guidance 
lor  the  control  of  unclassified  information,  to  include  CPl  that  reside*  on  coni  rector 
owned  and  •controlled  information  si  stems  Guidance  for  rhe  control  of  classified  CPI 
<icatcd  on  conrra.toi. owned  and  controlled  infcrrr.ation  ii  stems  Ls  governed  b>  UoO 
5220  22-M.  "National  Industrial  Security  Operating  Manual  " 


R  f  COM  M  ENDATION  B8.  We  recommend  that  the  Under  Secretary •  of  Defense 
(Intelligence),  in  coordination  with  the  Under  Secretary  a]  Defense  (Acquisition 
Technolug:  and  Logistics),  and  the  Assiuom  Secretary  of  Defense  (Networks  and 

Information  lnteiri.,;:r.r  i)  .  ;  ,  •  )fficeri  detr  r 

of  using 
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INTCU-iscrerc 


OFFICE  OF  THE  UNDER  SECRETARY  OF  DEFENSE 
5000  DEFENSE  pentagon 

WASHINGTON.  DC  ST03O I  SCOO 


JEN  1  7  £Oig 


MEMORANDUM  FOR  INSPECTOR  GENERAL  OF  THE  DEPARTMENT  OF 
DEFENSE 


[DoD  OIG  -  (bX6) 


SltBJECT;  Defense  Security  Service  (DSS)  Response  to  DoD  10  Dtati  Report  DoD 
Efforts  to  Protect  Critical  Program  information:  The  Army’s  Warfighter 
Information  Network  -  taciicaS  (Project  No.  D2GUS-D1NT01D242.O01}.' 
April  2,  2010 


In  response  Co  your  lone  3.  2010,  requesl  for  review  of  the  subject  response,  we 
concur  »od  provide  tiie  attached  comments.  My  point  of  contact  i 


DoD  OIG  -  (bX6) 


DoD  OIG  -  (bX6)  MDoD  OIG  -  (bX6) 


Director  of  Security 


Attachment. 
As  stated 
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RECOMMENDATION  82-2:  >«mi mm.  r.-i "  ■  >/  ■  Director  !>t/inxe  Security 

Svi\tce  provide  guidance  on  model  ieinguityr  m  tlu  DO  Form  254  in  order  to  provide 
ihe  De/enu  Security  Service  m'.sA  the  mformutitui  dtry  need  to  protect  Ciiticoi  Program 
information 

DSS  RESPONSE  In  jccctOiccc  with  Bk  Office  cl  the  Depur/  Under  Secretari  of 
Defense  for  Hl/MfNT.  Cr.  and  SKurily  (DUJSD  iHCIASli  i*  responsible  for  policy 
51.vcn.10g  Urg-use  of the  DD  Forr.  254.  not  the  Dinvtur  IVter.ve  Sccorrtv  Service 

DSS  recoxinccds  ir.al  DOSD<KCIdU>)  revive  'jnguitgc  in  tlio  Utah  DoD  ~2t*0  39-M  to 
address  both  classified  and  unclassified  CPI  •-  hcic  instructing  u«m  to  complete  the  DD 
1  orrr.  254  to  ensure  the  comraetorJ  are  advised  b)  'he  prpgiam  manager  and  mat  DSS  1 . 
t ormed  »if  unclassified  CPI  residing  at  a  &j:rtrtici  facility 


OUSD(I)  RESPONSE:  CONCUR.  V/e  concur  with  the  response  provided  by  DSS.  A> 
the  office  of  primary  responsibility  for  Industrial  Security  policy,  presumably,  this  office 
«s  ulsu  responsible  for  governing  language  of  the  DD  Form  254.  Contract.  Security 
Classification  Specification,  Dc-pan mem  nf  Defence  "  The  recommended  language  DSS 
proposed  will  be  incorporated  in  Line  lot  are  2.  RnpitmihiUlivv"  of  iite  current  draft 
version  Of  DoD  Manual  5200  5*4  M 


RECOMMENDATION  Bo  't-e  rreanmev.  'to:  /cr  D.rejio-  Bejcue  Security 
Service,  dettruinx  and  prepare  written  guuuincc  to 

<1  What  w/i  <t\oiud  t>€  c  c*rtointd  *a  tAt  DO  Pat  hi  254  to*  tftt  protection  oj 

trolled  l&clGSS/fieJ  CPI.  and 


ASA  ALT  -  (b)(5; 


DSS  RESPONSE:  As  stated  in  our  response  In  B2-2,  tbc  D1JSD  (HCJ&Sj  and  not  DSS 
i-  responsible  lor  policy  changes  rvlattnp  to  the  DD  form 

DSS  recommends: 

Block  10.  .-.tid  CPI  a*  a  separate  line  Item  to  Ijc  considered  when  completing  the 
form 
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-  Instructions  in  blocics  li  and  14  fht/j.d  ms:  if.  i  Uir  pn  .'Tim  manager  10  Wutidc 
special  CPI  instructions  (i.e  Program  Protection  Plan  (PPP).  Classification  Guide, 
ctc>. 

-  Hie  pruiu  cnuiraciur  mu$!  maintain  and  provide  Authorised  government  officials 
with  updated  I  si-,  of  all  subcontractors  participating  m  their  contract-program  and 
indicate  which  require*  access  to  classified  CPI  (and  ot  require  access  10  lltc  CPI 
at  other  lsv.it i on?<  n,  conjunction  wdh  performance  of  their  subcontracts 

jr  i  if;,  <.  ci.ua)  ».v  -  atDSS  fee  tb-:  Program  Cilice  to  provide  PPf 
mfornuuion  (Review,  extraction  of  spplicafcie  mfo.araison  and  then  expedite 
•i  stnbti  :<«n  i.  thn  aypUeiblc  field  office*  for  pnrr.v  and  subccotociors  h>  IS.'O 

-  Has  a  ..pice  for  location  ol  i'iSS  centre!  Pl’P  repository  as  -veil  as  the  address  of 
the  cognktai  DSS  Field  Office 

Indicate  whttnei  eontifli  tot(s)  Jieedfa)  to  bi  implement  specific  tcchnofogs 
protection  measure*  at  it.-cir  faciliry(iesj 

OUSD(I)  RESPONSE  CONCUR  OSS's  recommended  unions  will  sc appropriate lv 
addressed  within  Foclot  :re  7,  Kespansibih:.**  .mJ  Eackwar  6.  “CoKjrac: 
Beqwrtmena. '  of  (Iran  OoD  Marrnal  5200.39-M.  Prtctdt+ts/or  O  Mat!  Program 
I’tfOrir.uitor,  Prolrtlu u>  Within  the  Otportmen!  ot  Otteo-t 


} 
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Office  of  the  Assistant  Secretary  of  Defense  (Networks  and 
Information  lntegration)/DoD  Chief  Information  Officer 


if.wowKt  aso 
LsrCkMAiigx 


OFl'iCCOF  THE  ASSISTANT  I  ikCRETAKYOS  DEFENSE 
COOO  DEFENSE  PENTAGON 

washhocton.  d,c  toao i  eoao 


MEMORANDUM  FOR  DEPUTE’  ASSISTANT  INSPECTOR  GENERAL  FOR 
IN  I ELLIGENCE  EVALUATIONS. 

DoD  INSPECTOR  GTNTRAI 

SUBJECT  Re-e*’-  .r  m  IG  Report  No  D200S-D1NTU 1-0242,001  DoD  Effort*  to 
Rrotcct  Critical  Program  infoanation  The  Anny’s  Warfighter  Information 
Network  -  Tactical" 

This  is  In  response  to  your  memorandum  of  April  9,  20 10  requesting  comment- 
pertaining  to  the  subject  draft  report's  recommendations 

With  regards  to  recommendations  Bl-1,  B-3,  and  B-S,  we  agree  with  the 
recommendations  In  these  recommendations  ASD(NIIi  DoD  CIO  is  identified  as  providing 
support  Tor  each  of  these  recommendations  DASDfUA)  i-  lofuniitled  to  provide 
consul  ration  and  i  ippor  *.  requested  by  the  lead  organ  •’Aliena 

With  regard*  to  tree  mine  edatsen  BS-  i .  we  agree  with  the  rccomxcndici or*.  Our 
action  on  this  recommendation  was  completed  with  the  issuance  of  Dircctrve-Type 
Memorandum  (DTMj  0S-02*  “SeamD' of  Unclassified  DnD  lalormanon  on  Non -DoD 
Information  System*"  vm  i  I  Italy  2009  This  issuance  addresses  the  protection  of  cntical 
program  information  on  contractor  systems.  The  DTM  w  as  coordinated  with  USt)(ATJtL> 
and  USD(n  through  die  SD  106  process.  In  concert  with  the  DTM.  US0(AT&L)  initiated 
DoD  Federal  Acquisition  Regulator.  Supplement  (DFARS)  Case  200S-D028  “Safeguarding 
Unclassified  Information  "  which  will  provide  the  tpedfic  guidance  to  contracting  officers 
and  associated  clause!  to  implement  the  DTM  in  contracts. 


We  agiee  tlut  the  draft  teport  a  appropriately  classified 

iSTtn 


My  pout  of  contact  for  this  response  tsl 


D  OIG  -  (b)(6)*DoD  OIG  -  (bX6) 


D  GuisAantc 

!  Deputy  Assistant  Secretary  of  Defense 
I  Identity  and  Information  Assurance) 


© 
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Consolidated  Army  Comments 


DEPARTMENT  OF  THE  ARMY 
a*r  C«  Of  ’r.fc  *SVST*MT85anr'*J''0»  HMU' 
Acoui&'no*  Lossries  *N3  novOiOCY 
)J3  ashy  ?ExTition 
«r»sn  SWION.  DC  JMtM'M 


SAAL-ZL 


iiUK'  r  fi  ?219 


MEMORANDUM  FOR  DEPUTY  INSPECTOR  GENERAL  FOR  INTELLIGENCE 

SUB-JECT;  Hesperia#  t  :  Dra*t  DoD  inspector  General  Retrod.  Protect  No.  D2006- 
DIN  TOt -02*2.001 


The  ec-.Josod  document  contains  the  U-S  Amy's  '#piy  and  ccrrrrems  to  the 
drafi  resort.  Results  in  Briot  DoD  h Herts  so  Prolecl  CnicaJ  Program  Information.  The 
Army’s  Warfighter  Infirmstion  Network  -  Tactical  Tha  OFice  of  ihe  Assistant  Soc.-eiary 
of  tee  Amy  for  Acquisition,  Logistics  ana  Technology  concurs  with  the  findings  ami  nttn 
the  enclosed  comments  1o  clarify  points  made  ir  Ihe  draft  'eport 


_ My  point  ot  conlac:  is 


Enc 

Army  Reccvmrricno.it. .ni 


(Accu  c-iton.  loqisibs  and  Technctogyt 
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Consolidated  Army  Comments 


I  >t>l>  ir  spcctor  General  Project  No.  D200K-D1S  1X3 1 -0242  001 

Objective  Title  Results  &  Brief  DoD  Efli  is '  'Pinted  i  ritKU  PrurrJrt)  Infornalior  Die 
Army '»  Vvarfian-cr  information  Network  -  TiKtltal 

Klmling  A.  Arm*  polict  and  structure  need  imptniaU  lutsgiaiiua,  ay nchronban.m  aiul 
optuniurioa  for  maTtmom  pnouvtion  of  crilkul  program  laformation  (CPD- 

r.<  .  ti  <tre  '».•!.  t:.  A  Vve  rsonnicr d  the  A'm  mu;  Xstn*--/  or  tbe  A  m\  i  Acquis.  xxl 
l  aixj  TectHKOOgy  :  lA!iA<A!  I  n.  m  ccnranctuo  inliibi  ;  mm jrdtts;  General,  Ann- 

Mstenai  (.'.■iviurni.  ano  the  Army  Deputy  (  luef  of  Su'd  .  C-Z.  ie>  ic»  and  develop  a  p.i/t  o: 
action  tha:  will  rcsuJ:  ir  the  most  efficient  and  effective  mrar  ■-  to  integrate,  synchromre  and 
optimise  .research  awl  technology  protection  efforts  tf>t  the  Army 

ARMY  RESPONSE-  Concur  *viih  c  mmen;  This  Is  a  consolidated  ASAfALT.I.  HQOA  DCS. 
0-2.  Army  Research  and  Technology  PtOlevtlrm  C»nter(AR  i  PC)  and  AMC  G  ?  response  I  he 
ASA1AI.  1 1/ Defense  Industrial  Base  C>  hr >  Si-gurih  Office  (DlftCSO).  HQDA  DCS.  0-2. 

ART  PC.  am)  the  AMC  G-2  continue  to  Wjll.l  bonne  on  matters  tun  i  inpftci  protection  of  Army 
CPI.  Protection  of  Army  Cl’l  is  governed  by  AR  70- 1  DA  PAM  70- 1  and  AR  381-11.  which 
•  oil. ik  i he  specific  responsibilities  of  the  ARTPC  ana  AM'  G-I  ASAfALT).  with  input  from 
1 10 DA  G-2,  ARTPC.  and  AMC  C-2  k  developing  no  '  i mv  Iti-iyii  non  that  will  addre-s  these 
-ecponsibilitie*  m-depth  In  ere  re  Army  programs  properly  identify  CPI  and  implement 
cou-itenncasurcs  to cfleciivety  present  compro.r.  ie  cl  '.Pi  ASAiAl  I  i expects  to  pobhm  [lie 
Ami>  Ke^uUtioc  by  15  Devanher  3011) 

I  indlac  B.  Tbe  Army '»  Warfighter  Information  Network  -  I  *ritc*l  Program’s  Lflbnc  in 
Prevtact  Critical  Program  Infomtatina. 

Issue  Area  One!  Ahliin  to  *iicn i its  critical  pngnin  tnlormsiioii 

Rooammendaiiinn. 

B'  -I  s'ic  recommend  tb«l  the  1  Vtdcrsccreury  of  Deleree (Acauic  non.  Technology  ana 
Logistics)  (Lv)i  a’I  &L)>.  m  consiihiiiiori  with  the  i  •  tder  Scvrelary  of  Defense 

(Intelligence),  the  Assistant  Secretary  of  Defense  (NcT.vorks  and  Information _ 

Ir.  '.c.Mlicr.'  DoD  f  birt  Inf  i '  .uni)  ..  t  i  .1  ■  |  .M-  ii  f  IT  O  r,.  i„.|sg8§fflH 


ARMY  RESPONSE  O  cur 
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Consolidated  Army  Comments 


DoD  Inspector  General  ftpject  Vo.  D200S-DIVTG <  ii'j;  001 

Bl-2  We  recommend  the!  the  l  nder  Secretary  01  |)i  icioo  (Acquisition, Technology  and 
Logisi  i  r)  nyluOliylt  guidance  for  identifying  commote  i  ill  oiY-dw-sheif  government  off- 
fhe»shclf  component*  .is  critical  information.  m  it .  ImJf  iisse'ssmcni  leois.  and  training 

ARMY  RESPONSE  Concur 

Issue  Area  I«o:  Effcctivene**  in  developing  and  implementing  u  Program  Protection  Plan 

P.ecjmnrenCi:  ntn 

H2  I  We  reccenmnd  usai  the  Under  ScejctM?  of  Defence  ( Acquisition.  Technology, 
and  Logistic*)  provide  guidance  on  model  cotvtn*ci  tangunge  in  ropport  of  program 
protection  pluming  to DoD  and  Component  RTP  offUiatv 

ARMY  RESPONSE  C.ir.eiir  with  comment  l>ol)  is  teckmg  comments  from 
Government  and  Industry  on  potential  changes  to  the  Defense  federal  Acquisition 
Regulation  Supplement  (DEARS)  to  address  require  menu  I  nr  the  safeguarding  of 
unclassified  mfOimalKni  within  industry 

D2-2.  We  recommend  (bat  the  Director.  Defense  Security  Service  provide  guirtn  .r  n> 
model  language  in  the  OD  form  2*4.  m  ruder  In  pro  J-  if*  (Jeter sc  Security  Service 
vsitli  the  infnrmatmti  they  need  ro  protect  cril'cal  pre gram  nrormatiort 

ARMY  RF.SPONSI  Concur  *  ah  cotot,:-™  f  AH  (  c  -  f  .  -2.  Scuu  r«iy 
Req.iremrnh  bend*  ’.be  contractor  to  meet  'he  security  fcouircmems.  identified  m  the 
Nunonal  Industrial  Security  Mamed  (N1SPOM i  and  further  the  DDfona  25-1  .dull  l» 
used  for  contracts  clarified  til  tnc  Confident.,-.  Secret  or  I  op  Secret  level.  Change*  in 
!  AR  language  and  pi 'In  v  will  he  required  to  support  unclassified  contracts  containing 
CPI. 

feme  Area  Three-  training  Efforts  fur  (lie  Protection  of  Critical  Program  Information 

Recommendation 

Hi  We  reto-nmend  that  dtc  Undersecretary  of  Defer  ite  (AencESt-jon,  Tect.m’l  .r>  .ml 
Icgmi-t),  in  llibor.ilijc  with  the  l‘  s>-  reur;  i.i  (iefei  -c  (Intelligence).  and  the 
A»iwa  Secretary  of  Defense  (Net'curieis  and  .r'ermaston  ImegrtiiocyDoD  Chief 
Inform atlon  Officer  develop  stanuardired  .uidaiv  e  tor  training  ir  tlPI  protection  for  use 
by  the  RTI*  community 

ARMY  Rt-SPONSf  Cr>ne i.i 

Issue  Area  Four:  Use  of  Resources  for  the  Prolee-tiun  of  Critical  Program  Information 
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Consolidated  Army  Comments 


DoD  Inspector  General  Project  No.  D2C08-DtNTOI -02-12.001 
No  Rctommendiilions 

Issue  Area  Five:  Effectiveness  of  Policies  to  Protect  Critical  Program  Information 
Recommends,!  ion: 

US- 1  We  recommend  that  the  Assistant  Secretary  of  Defense  (Ketwmfce  and 
Information  JntegrationVDcsD Chief  Information  Officer,  in  conjunction  with  the  l.ndcr 
SccrriHiies  of  Defense  for  Acquisition,  Technology  aid  Logistic!;,  and  fin  Intelligence, 
develop  and  publish  security  requirements  for  contractors  processing  CPI  Or  Contractor- 
owned  and  controlled  information  systems. 

•\RMV  RESPONSE:  Concur.  DoU  is  isekir.y  cormreriic  from  Groernmem and 
industry  on  potential  charges  to  the  Defense  Federal  Acquisition  Regulation  Supplement 
CDF  A  IIS)  to  aedress  requirements  for  the  safeguarding  of  unclassified  information  within 
industry 

Issue  Area  Six.  Ability  of  Counterintelligence,  Intelligence,  and  Security  to  Support  the 
Protection  of  Critical  Program  Information. 

Recommendation: 

Rfi  We  recommend  dial  the  Director.  Defense  Security  Service,  determine  and  prepare 
written  guidance  to: 

4.  What  can  and  should  be  contained  within  the  DO  254  for  the  protection  of 
controlled  unclassified  CPI.  and 

b.  How  program  prolection  should  he  implemented  a:  the  l  evel  of  subcontractors, 
and  how  to  verify  contractor  c.mtpliitnce  with  the  DD  Form  254  ane  the  program 
protection  plan 

ARMY  RESPONSE  Concur. 

Issue  Area  Seven:  Effectiveness  of  the  Foreign  Visit  Program 
No  Recommendation. 

issue  Area  Eight:  Application  nf  Horizontal  Protection  of  Critical  Program  Information 

Recommendation; 

B8  We  recommend  that  the  Under  Secretary  cf  Defence  1  Intelligence;,  in  cuordintuinn 
with  tin?  Under  Secretory  of  I )efen3C<  Acquisition,  Technology  and  Logistics),  ar.J  the 
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Consolidated  Army  Comments 


DoO  Inspector  Gcuc'u!  Project  No.  D'(K18. DIVTO I  -02±2  00 1 


AtiMw  Secretary  ol  Dvfooe  (NitiMki  wd  information  Use 

_ 


VRM\  RESPONSE.  Concur  *.iihcm-cr 


OASA  ALT  -  (b)(5) 


